| Form Validation and allowing iframe or objects |
[eluser]thors1982[/eluser]
I am writing a CMS for a client, and they want to be able to use iframes and objects (for imbeded youtube videos), in the body of the copy But the validation function keeps converting the less than and greater than symbols into entities. Does anyone know how to allow for just iframes and objects to pass through? without disabling form validations security completely? Or any suggestions?
[eluser]bretticus[/eluser]
[quote author="thors1982" date="1251244084"]I am writing a CMS for a client, and they want to be able to use iframes and objects (for imbeded youtube videos), in the body of the copy But the validation function keeps converting the less than and greater than symbols into entities. Does anyone know how to allow for just iframes and objects to pass through? without disabling form validations security completely? Or any suggestions?[/quote] $this->form_validation->run() ? I don't believe that does anything other than just check your rules. Are you referring to textarea values posting back when the $this->form_validation->run() is false? I believe you have to use the set_value() function from the Form helper to post these values back. I'm doing a lot of guessing here but one thing I'm certain about is that there is a very good reason that these types of things are being converted to entities somewhere. And that will be cross site scripting or script injection vulnerability. Since it would seem that your client is adding these from a authenticated user account, if you can be more specific, I'm sure someone can explain how to get around this.
[eluser]pistolPete[/eluser]
Try disabling the global XSS filtering: Code: $config['global_xss_filtering'] = FALSE;
[eluser]davidbehler[/eluser]
I think you ran into the same problems as I did when using a WYSIWYG editor: http://ellislab.com/forums/viewthread/110757/
[eluser]thors1982[/eluser]
[quote author="pistolPete" date="1251291200"]Try disabling the global XSS filtering: Code: $config['global_xss_filtering'] = FALSE;If I change this in the config it works :-) Thank you PistolPete Now im going to get picky :-p Is there anyway to disable this for only one input? I like having it on... but need this one input to accept objects and iframes. I am trying to use: Code: $val->set_rules('heading', 'Heading', 'trim|xss_clean');Any ideas on how to disable this for only one input?
[eluser]bretticus[/eluser]
[quote author="thors1982" date="1251310506"] Any ideas on how to disable this for only one input?[/quote] Yeah dump xss_clean in your rules for the ones you do not want xss filtering on. Either don't filter them or make a callback function that you can call in your rules that checks for possible foul play but accepts iframes and objects. |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
