• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS Cleaning


I'm wondering if I should implement the following function with CI:


Or what comes with CI is more powerful?

Please advise.

The xss_clean function can be found in the input library so you be the judge Wink

I do not have enough experience to judge, but I guess you mean the above method is safer! Smile

[eluser]Pascal Kriete[/eluser]
$val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);

Why does he strip all commas? Use the input class.

[eluser]Eric Cope[/eluser]
He is not removing commas (at least on purpose). He is removing ascii characters that are not used in the ascii dataset. The commas seperate different groups of dangerous hex characters. I can't say that is what is accomplished because my regular expressions are weak and I don't have Kodos running on this machine. I think he would be removing the commas if there were slashes directly to the left of those...
Here is a fun link in case you like speaking hex. http://www.asciitable.com/

[eluser]Pascal Kriete[/eluser]
He has a little text field at the bottom where you can test. He's obviously not doing it on purpose - but he is doing it. If I use a xss cleaner I want it to be tested to exhaustion and beyond. That clearly wasn't done here.

Although the unwanted comma stripping does save him from a few vectors that would otherwise go through.

For regular expression testing, I've found this firefox plugin quite useful.

Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  

  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.