Why does XSS filtering absolutely not work ? |
[eluser]sikko[/eluser]
Hi all, I want to insert some form POST data into my database. I've set global xss filteing to TRUE: Code: $config['global_xss_filtering'] = TRUE; Even if I try Code: $playlist['name'] = $this->input->post('name', true); When I put Code: <i>Blah blah</i> Have you an idea why it doesn't work ? Thank you in advance.
[eluser]Pschilly[/eluser]
If im not mistaken, XSS filtering does not filter out tags like that...
[eluser]sikko[/eluser]
humm... According to the doc: Quote:If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file and setting this: So in this case, the variable encountered is a POST variable.. so it should be xss filtered ? Am I wrong ?
[eluser]Pschilly[/eluser]
Yes but read: http://en.wikipedia.org/wiki/Cross-site_scripting
[eluser]sikko[/eluser]
source: http://en.wikipedia.org/wiki/Cross-site_scripting Quote:Another way is to escape all untrusted data [...] including HTML numeric entity encoding, JavaScript escaping, CSS escaping, and URL (or percent) encoding. ...???
[eluser]Pschilly[/eluser]
Like I said... I'm not 100% sure but I do not believe it stops standard HTML tags... as pretty well everyone uses the XSS cleaning in apps like CMS's which in most cases post HTML tags to the DB. Similar to what your doing I would assume.
[eluser]sikko[/eluser]
You were right... I tried with < script > tag. and it was replaced by "REMOVED" So it indeed, does not filter simple tags like "<b> or <i>". thank you for you help
[eluser]sikko[/eluser]
By the way, Does somebody know how can I make the xss filter "more aggressive" ? for all the caracters to be escaped ? Thanks
[eluser]Dennis Rasmussen[/eluser]
Define "all the characters" please Then we might talk about it. |
Welcome Guest, Not a member yet? Register Sign In |