Welcome Guest, Not a member yet? Register   Sign In
Overly aggressive xss cleaning?
#1

[eluser]Unknown[/eluser]
When as in my case $_POST['body'] contains an HTML image element with a valid src attribute, f.ex.
Code:
<img src="http://test.es/test4.png" alt="" >
(amongst others, but it seems only the img is stripped this way) system/libraries/Input.php constructor cleans the incoming data. As far as I can see something happens in Input->xss_clean(), which is called by Input->_clean_input_data() which in turn is called by the constructor. This leaves the img code cold and empty:
Code:
<img >

Now, it is sort of a limitation not being allowed to submit html code like that to a CI app..

EDIT: CodeIgniter 1.7.3
$config['global_xss_filtering'] = TRUE;
The img src points to an external site




Theme © iAndrew 2016 - Forum software by © MyBB