xss_clean bug |
[eluser]Nielsk[/eluser]
Hello, I was working on my community when I was checking the security side. When you use " /> in a input it will be under the input like this: <input name="title" id="title" type="text" value="DefQon.1 ">>>" /></div> The quote (") should also be edited in the xss_clean else it can't be defined as xss cleaner. Niels ps: if some text is wrong formulated. I'm tired at the moment because of some problems at home.
[eluser]xwero[/eluser]
The double quote is not considered as an xss risk because it's a valid character in normal text. But there are ways to prevent user values to mess up your html and one of them is the use of the htmlentities function.
[eluser]Nielsk[/eluser]
I know that. I'm a freelance security expert. I work with XSS and CSRF almost every day.
[eluser]Derek Allard[/eluser]
Hi Nielsk. Thanks for reporting. I'm sorry, I'm not following what are you suggesting. Could you elaborate? If you'd prefer to continue this off-board, please feel free to email me ([email protected]).
[eluser]Nielsk[/eluser]
[quote author="Derek Allard" date="1215760824"]Hi Nielsk. Thanks for reporting. I'm sorry, I'm not following what are you suggesting. Could you elaborate? If you'd prefer to continue this off-board, please feel free to email me ([email protected]).[/quote] I have mailed you
[eluser]Derek Jones[/eluser]
Nielsk, thanks for reporting; Derek shared your email with me, and I think it's just a small misunderstanding. xss_clean() does not make text safe for use in tag attributes, it makes it safe for output to the screen. What you demonstrate is still not an XSS weakness, though it will certainly break your tags. What you want to use in addition to xss_clean() is form_prep() from the Form helper. e.g. instead of: Code: <input name="title" type="text" value="<?=$this->input->xss_clean('DefQon.1 " />');?>" /> You would use (after the form helper is loaded) Code: <input name="title" type="text" value="<?=form_prep($this->input->xss_clean('DefQon.1 " />'));?>" /> |
Welcome Guest, Not a member yet? Register Sign In |