< > " etc etc all show up AS the entity in the textbox |
[eluser]drewbee[/eluser]
Global XSS Filtering = off This has to do with the prep_form function. My forms look to the tee of the following, using set value to get the previous value: Code: <p> set_value runs the form_prep function. If I enter any entities into a textbox, and the form is reloaded, the form displays the actual entity. Example: <-; >-; entered into textbox Error shows so form reloads < > is what the textbox now shows. Why is this? I would expect <-; >-; to show back up again, and is in fact the behavior that normally occurs with standard html_entities() Is this a bug or desired effect? IMO user data should never be modified like this and is in fact the reason I have the global xss filtering off. Thoughts? (ah, this forum does it too...) Edit: That garbled mess above is the AND_LESS_THEN_SEMI_COLON and the AND_GREATER_THEN_SEMI_COLON entities...
[eluser]yalambers[/eluser]
I am having problem. I would like to know how to filter < and > these s characters. cosz if anyone inputs <div> in the input. it would break the layout of my site.
[eluser]drewbee[/eluser]
I actually extended the helper function form_prep (form_helper.php) with the following and commented out a few lines: Code: function form_prep($str = '') That crap that is in the normal form is way over zealous... and does not mimick standard behavior. I ran this updated function against http://ha.ckers.org/xssAttacks.xml and it caught every instance. |
Welcome Guest, Not a member yet? Register Sign In |