• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Amperstand gets encoded on POST (SOLVED)

#1
[eluser]Dan Bowling[/eluser]
I've got a login page where users with an amperstand in their password encounter a bug where their password gets a semicolon added to it.

For example:
"test" works fine
"test&" works fine
"test&test;" produces "test&test;"

Any ideas on this? I don't see this as a described behavior in the input or form validation classes.

Here is my offending code. The semicolon is even displayed in the print_r() echo.

Code:
function index()
    {
    echo '<pre>'.print_r($_POST).'<pre>';
        //Set the error delemitors to make things pretty
        $this->form_validation->set_error_delimiters('<p><span class="error">', '</span></p>');
        //Set up the form validation rules, and associated error messages
        $this->form_validation->set_rules('username', 'username', 'required|callback_username_check');
        $this->form_validation->set_rules('password', 'password', 'required');
        //Run the validation
        if ($this->form_validation->run() == FALSE)
        {
            $data['app_name'] = $this->config->item('app_name');
            $this->load->view('authenticate/login_form', $data);
        }
        else
        {
            
            $username = $this->input->post('username', FALSE);
            $password = $this->input->post('password', FALSE);

I even encounter the problem with this stripped down version:
Code:
function index()
    {
        print_r($_POST);
        $data['app_name'] = $this->config->item('app_name');
        $this->load->view('authenticate/login_form', $data);
    }

Firebug says that the post data being sent is good, and doesn't have the semicolon, and the problem is repeatable in IE8.


EDIT:

I eventually solved this myself before anyone responded. The issues is the XSS filter that is applied. So I disabled it on the controller that is affected and set up the other inputs to XSS_Clean manually.


Code:
$config['global_xss'] = ( ! in_array($_SERVER['REQUEST_URI'], array('authenticate'))) ? true : false;


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.