Codeigniter XSS
Submitted by kevin on Thu, 07/21/2011 - 09:50
Codeigniter adds semi-colon when you use an ampersand in an input field
When a user had an ampersand character in their password they couldn't login to the website. This took me several hours to figure out what was happening.
Using codeigniter 2.02 on php 5.3.
In the config file you have the option of turning XSS Filtering on site wide, which on the outset looks like a good idea. However it has some side effects that can cause a few problems.
application/config/config.php
$config['global_xss_filtering'] = TRUE;
I've been implementing a new login system which uses
$username = htmlspecialchars($this->input->post('username')); $password = hash('sha512', $salt . $this->input->post('password') . $pepper);
Now here comes the problem.
The input form goes through the form_validation->run() to check that the fields are not empty or too long etc
but if the password contains the ampersand such as
Tyu9&fgQnb
then the output becomes
Tyu9&fgQnb;
(note the semi-colon)
I for one want to encourage my users to have strong passwords.
The answer is of course not to have XSS on site wide.
$config['global_xss_filtering'] = FALSE;
and add xss_clean on a individual basis in the validation rules. It's probably important to add that I normally add strip_tags to these input types.
$this->form_validation->set_rules('username', 'Username', 'required|strip_tags|max_length[20]'); $this->form_validation->set_rules('password', 'Password', 'required|strip_tags|max_length[20]');
Add new comment