xss_clean/rawurldecode issue |
[eluser]jmadsen[/eluser]
Thought I would post a recent finding, as it is rather obscure so this might save someone some time. If you are using xss_clean on input, know that it uses rawurldecode(). know also (as I now do :-) ) that there is a php bug in rawurldecode(), so that it has trouble with encodings for some latin-based (and perhaps it's wider-spread) and will cut off your string. For example (psuedo-code; don't use this at home) Code: $str = "this is %-c-a my string"; (without the hyphens, altogther) Will output "this is " because "%-c-a" is the encoded version of Ê, and rawurldecode() chokes on it. --- there is a patch for this suggested by a user here: http://php.net/manual/en/function.rawurldecode.php Perhaps CodeIgniter should look at the possibility of a similar patch for Input.php? We are deciding the best way to patch ourselves, so if we come up with something useful, I'll post. Hope that helps someone |
Welcome Guest, Not a member yet? Register Sign In |