Overriding global XSS filtering |
[eluser]besson3c[/eluser]
Hello, I just realized that the global XSS filtering setting can mess up password inputs if the password includes certain characters. Is there a way to override this setting for particular form elements? If not, would it be possible to toggle this setting off temporarily while assigning this form input to a variable? I could play around with this for myself, but I'm not sure what sorts of input will result in modification post-sanitization/filtering. Can anyone please provide me with an example?
[eluser]Twisted1919[/eluser]
Basically, what you need to do, is that at the beginning of the request, right before the global cleaning is taking place, make a copy of the $_POST array and use that copy when you want to get the original, uncleaned variables. Extending the security class might be the perfect way of doing this, something like: Code: class MY_Security extends CI_Security{ Code: if(isset($this->security->original_post_array['password'])) Please note, if you use CKEDITOR, or any other editor, the xss_clean() method will strip many of the elements attributes, exp: Code: <div style="font-weight:bold">BOLD FONT ? </div>
[eluser]bubbafoley[/eluser]
you can turn xss filtering on/off when retrieving data. Code: $config['global_xss_filtering'] = TRUE; Code: $username = $this->input->post('username'); // filtered == OR == Code: $config['global_xss_filtering'] = FALSE; Code: $username = $this->input->post('username', TRUE); // filtered Read more: http://www.gregaker.net/2011/mar/30/what..._i_use_it/
[eluser]Matty[/eluser]
[quote author="Twisted1919" date="1307974817"]Basically, what you need to do, is that at the beginning of the request, right before the global cleaning is taking place, make a copy of the $_POST array and use that copy when you want to get the original, uncleaned variables. Extending the security class might be the perfect way of doing this, something like: Code: class MY_Security extends CI_Security{ Code: if(isset($this->security->original_post_array['password'])) Please note, if you use CKEDITOR, or any other editor, the xss_clean() method will strip many of the elements attributes, exp: Code: <div >BOLD FONT ? </div> Brilliant, this is just what I was looking for and it works perfectly. |
Welcome Guest, Not a member yet? Register Sign In |