what will be the problem if allowing all characters in permitted_uri_chars |
[eluser]jayapalchandran[/eluser]
Code: $config['permitted_uri_chars'] = '+=\a-z 0-9~%.:_-'; What will happen if i am allowing +=/ or some more chars? I would like to send and receive base64 of an email address as an unique identification and when i do base64 i can see = appearing mostly as the last character. so i want to use = in uri. and it is working well. What will be the security risk?
[eluser]WanWizard[/eluser]
The reason they are 'illegal' is that they can be used to craft an attack via the URI. See http://ellislab.com/forums/viewthread/109429/ for a solution that doesn't require altering this regex.
|
Welcome Guest, Not a member yet? Register Sign In |