Welcome Guest, Not a member yet? Register   Sign In
< > " etc etc all show up AS the entity in the textbox
#1

[eluser]drewbee[/eluser]
Global XSS Filtering = off

This has to do with the prep_form function.

My forms look to the tee of the following, using set value to get the previous value:

Code:
<p>

        <label class="label" for="username">Email:*</label>
        &lt;input type="text" name="email" id="email" class="field" maxlength="50" value="&lt;? echo set_value('email', ''); ?&gt;" /&gt;
        &lt;? echo form_error('email'); ?&gt;
    </p>

set_value runs the form_prep function.

If I enter any entities into a textbox, and the form is reloaded, the form displays the actual entity.

Example:

&lt;-; &gt;-; entered into textbox
Error shows so form reloads
< > is what the textbox now shows. Why is this? I would expect &lt;-; &gt;-; to show back up again, and is in fact the behavior that normally occurs with standard html_entities()

Is this a bug or desired effect? IMO user data should never be modified like this and is in fact the reason I have the global xss filtering off.

Thoughts? (ah, this forum does it too...)

Edit: That garbled mess above is the AND_LESS_THEN_SEMI_COLON and the AND_GREATER_THEN_SEMI_COLON entities...
#2

[eluser]yalambers[/eluser]
I am having problem. I would like to know how to filter < and > these s characters. cosz if anyone inputs <div> in the input. it would break the layout of my site.
#3

[eluser]drewbee[/eluser]
I actually extended the helper function form_prep (form_helper.php) with the following and commented out a few lines:

Code:
function form_prep($str = '')
{
    // if the field name is an array we do this recursively
    if (is_array($str))
    {
        foreach ($str as $key => $val)
        {
            $str[$key] = form_prep($val);
        }

        return $str;
    }

    if ($str === '')
    {
        return '';
    }

    //$temp = '__TEMP_AMPERSANDS__';

    // Replace entities to temporary markers so that
    // htmlspecialchars won't mess them up
    //$str = preg_replace("/&#(\d+);/", "$temp\\1;", $str);
    //$str = preg_replace("/&(\w+);/",  "$temp\\1;", $str);

    $str = htmlspecialchars($str);

    // In case htmlspecialchars misses these.
    $str = str_replace(array("'", '"'), array("'", "&quot;"), $str);

    // Decode the temp markers back to entities
    //$str = preg_replace("/$temp(\d+);/","&#\\1;",$str);
    //$str = preg_replace("/$temp(\w+);/","&\\1;",$str);

    return $str;
}

That crap that is in the normal form is way over zealous... and does not mimick standard behavior.

I ran this updated function against http://ha.ckers.org/xssAttacks.xml and it caught every instance.




Theme © iAndrew 2016 - Forum software by © MyBB