[eluser]Madalina.C[/eluser]
---------------------------------------------------------------------------------------------
PLEASE EXCUSE THE IMPROPER HTML ENTITY NOTATION.
I assume this form uses the same engine which is addressing the same issue (I can inject HTML entities into this page)
I did some searching around and couldn't find the exact topic I'm discussing here
Hello
I found a bit of redundancy regarding the input class and properly (and safely) displaying user input on views using HTML Entities.
Essentially, to properly sanitize input from the user (Lets say we're talking about GET requests) we use the Input Class.
Data such as <html or <html> or <body> (etc) is being transformed to html_entities almost immediately. I am left with
which, to the browser, looks the same as
Now this doesn't prevent ALL html injections.
Tags such as <b>, <i>, etc, are not being sanitized since I assume they don't pose a threat. But they still need to be escaped.
So now I'm using HTML Entities on what is already HTML entitied (which are few elements).
Therefore a user's input of
<html>
Gets turned into
Which furthermore gets html entitied (by myself) and becomes
Code:
& amp;& lt;html& amp;& lt;
So here are the solutions I thought of, maybe you can provide some input
1. Add all tags to the list that get escaped. Not very smart since there may be tags that I miss. Plus then I'm modifying the core CI library which is unwise.
2. Extend the class. But then I would still have to spend a huge amount of time tracking what gets escaped and what doesn't get escaped by the Input Class
3. Not use the class. But the class does more than just HTML entities so I would rather keep it.
Thanks for any input.