Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Form Validation and XSS filter... not working on onclick...
Form Validation and XSS filter... not working on onclick...
  • El Forum
    Guest
  •  
#1
01-21-2010, 07:13 PM

[eluser]ururk[/eluser]
I must be doing something wrong (CI - 1.7.2). This JS is getting through:
Code:
" onclick="alert('hi')" "
and I don't think it should. My input box contains nothing, but an alert pops up when clicking inside (Safari 4.04). I found this while trying to switch the search over to GET, and thought it was related to switching to GET. However, the same behavior exists when using POST.

Code:
javascript (plus a colon)

is removed.


Setup:

Search form (this is part of a view):
Code:
<label for="all_words">All these words</label>
&lt;input type="text" name="all_words" id="all_words" value="&lt;?php echo $all_words; ?&gt;" /&gt;
&lt;?php echo form_error('all_words'); ?&gt;


Validation rule:
Code:
function _validate_advanced() {
$this->form_validation->set_rules('all_words','Keyword','xss_clean|trim');
}

Controller:

Code:
$this->_validate_advanced();
        $validate_fields = $this->form_validation->run();

        $form_data = array(
            'all_words' => html_entity_decode(set_value('all_words'), ENT_QUOTES, "UTF-8")
        );

        if ($validate_fields == FALSE) // validation hasn't been passed
        {
            if (validation_errors()) {
                $data['title'] .= " - Error";
                $data['content'] = heading($data['title'], 1);
                $data['content'] .= "<p class='error'>" . $this->lang->line('message_search_input_error') . "</p>";
            } else {
                $data['content'] = heading($data['title'], 1);
            }
            
            $data['content'] .= $this->load->view('search/advanced', $form_data, true);
        }
        else // passed validation proceed to post success logic
        {
            $data['content'] = heading('Advanced Search Results', 1);
            
            if ($results = $this->search_model->do_advanced_search($form_data)) {
                $data['content'] .= generate_results_table($results) . "<p>&nbsp;</p>";
            } else {
                $data['content'] .= "<p>" . $this->lang->line('message_no_search_results') . "</p>";
            }
        
            $data['content'] .= $this->load->view('search/advanced', $form_data, true);

Any ideas?
  • El Forum
    Guest
  •  
#2
01-21-2010, 07:20 PM

[eluser]ururk[/eluser]
Also, I need to explain the:

Code:
'all_words' => html_entity_decode(set_value('all_words'), ENT_QUOTES, "UTF-8"),

line. The database stores unencoded characters, so I need to search using decoded entities. Should I be encoding them in the database?
  • El Forum
    Guest
  •  
#3
01-22-2010, 09:12 AM

[eluser]ururk[/eluser]
I basically am solving this by encoding the values before echoing them in the form fields. However, should an onclick or alert get through the XSS filter?




Theme © iAndrew 2016 - Forum software by © MyBB