Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming xss_clean/rawurldecode issue
xss_clean/rawurldecode issue
  • El Forum
    Guest
  •  
#1
10-12-2010, 09:41 PM

[eluser]jmadsen[/eluser]
Thought I would post a recent finding, as it is rather obscure so this might save someone some time.

If you are using xss_clean on input, know that it uses rawurldecode(). know also (as I now do :-) ) that there is a php bug in rawurldecode(), so that it has trouble with encodings for some latin-based (and perhaps it's wider-spread) and will cut off your string.

For example (psuedo-code; don't use this at home)

Code:
$str = "this is %-c-a my string"; (without the hyphens, altogther)
echo $str = xss_clean($str);

Will output "this is " because "%-c-a" is the encoded version of Ê, and rawurldecode() chokes on it.

---

there is a patch for this suggested by a user here:
http://php.net/manual/en/function.rawurldecode.php

Perhaps CodeIgniter should look at the possibility of a similar patch for Input.php? We are deciding the best way to patch ourselves, so if we come up with something useful, I'll post.


Hope that helps someone




Theme © iAndrew 2016 - Forum software by © MyBB