XSS Cleaning |
[eluser]EEssam[/eluser]
Hello, I'm wondering if I should implement the following function with CI: http://quickwired.com/smallprojects/php_...nction.php Or what comes with CI is more powerful? Please advise.
[eluser]xwero[/eluser]
The xss_clean function can be found in the input library so you be the judge
[eluser]EEssam[/eluser]
I do not have enough experience to judge, but I guess you mean the above method is safer!
[eluser]Pascal Kriete[/eluser]
Umm.. Code: $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val); Why does he strip all commas? Use the input class.
[eluser]Eric Cope[/eluser]
He is not removing commas (at least on purpose). He is removing ascii characters that are not used in the ascii dataset. The commas seperate different groups of dangerous hex characters. I can't say that is what is accomplished because my regular expressions are weak and I don't have Kodos running on this machine. I think he would be removing the commas if there were slashes directly to the left of those... Here is a fun link in case you like speaking hex. http://www.asciitable.com/
[eluser]Pascal Kriete[/eluser]
He has a little text field at the bottom where you can test. He's obviously not doing it on purpose - but he is doing it. If I use a xss cleaner I want it to be tested to exhaustion and beyond. That clearly wasn't done here. Although the unwanted comma stripping does save him from a few vectors that would otherwise go through. For regular expression testing, I've found this firefox plugin quite useful. |
Welcome Guest, Not a member yet? Register Sign In |