• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS_CLEAN Truncates Data

#1
We have a user out in the internet posting data to our API written in CI 3.1.9.  The data is in this format:

ID=<some id>&KEY=<some key>&DATA=<very long json data>

In our controller we use:

$id = $this->input->post('id', true);
$key = $this->input->post('key/, true);
$data = $this->input->post('data', true);

After days of trying to figure out why we're not getting this JSON data, I figured out that for some reason XSS_CLEAN would completely erase the JSON data to empty.  I can re-produce this problem with $this->input->input_stream('data', true) or $this->security->xss_clean($data)

Not sure if this is bug or it breaks because JSON data is too long (2000 records of name,address,city,state,zip) ..
Reply

#2
XSS filtering should never be used on input, but on output. Codeigniter have DEPRECATED global_xss_filtering and you should delete those too. You should however validate your data and apply XSS measures on output instead.

https://www.codeigniter.com/user_guide/l...-filtering
https://www.codeigniter.com/user_guide/g...-filtering
https://www.codeigniter.com/user_guide/l...-filtering

http://php.net/manual/en/book.filter.php
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2018 MyBB Group.