Welcome Guest, Not a member yet? Register   Sign In
XSS_Clean filters no php tags
#1

Hello @ll,

my Problems and Questions:

1. Problem

Input "<?php ?> <script>" in "recipients" field.
PHP Code:
//validate form input
$this->form_validation->set_rules('recipients''recipients''required|max_length[100]|xss_clean|callback_recipients_check');
...
...

//Callback function
public function recipients_check($recipients '')
    {
        
$foo $this->security->xss_clean($recipients);

        echo 
"<pre>";

        
print_r ($foo);

        echo 
"</pre>";
        exit;
    } 

The Return is "<?php ?> [removed]".

But why not filtering the PHP-Tags?
In User-Gguide Stands: xss_clean() does this automatically, if you use it.

A Question: Why not first Filtering and then Callback?
This is not the better Way?


Sry, for my English. I'm from Germany Big Grin

Thank you for yours Help.
Reply
#2

Hi,

I can't answer all your questions but I think the php tags will now be html entities following xss_clean. Also, I don't think xss_clean is a form validation rule, it is a function you perform on data.

http://www.codeigniter.com/user_guide/li...-reference

Hope that helps,

Best wishes,

Paul.
Reply
#3

Hi Paul,

thanks for your Answer.
Was very helpful.

But , I think the better way would be...
Filtering and then Callback Smile
Reply
#4

If your callback does xss_clean() and you have xss_clean in your rules, you're passing the same data through xss_clean() twice, so the resulting output is going to be questionable anyway. The xss_clean() method replaces <? with &lt;?. The pre element in HTML does not prevent the browser from decoding the HTML entities.

For the most part, the rules will be run in the order you specified.

Please read the upgrade note on using xss_clean as a form validation rule and the note in the documentation of the Input class. xss_clean() should not be used on input, it should only be used when outputting data to HTML.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB