Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am working on a book listing website and have run into a problem with codeigniter’s xss filtering. When the form is submitted to create a listing, any title that includes “Javascript:” gets replaced with “[REMOVED]”. I have tried accessing the data from the POST array like this:
$title = $_POST['title'];
to avoid using the Input class but it is still somehow getting filtered. Is there any way around this that does not involve turning global_xss_filtering off?
Nope, sorry. You have to turn it off because it alters the raw post data early in CI’s execution.
I could rant for 5 pages about the proper use of the xss filter, but I’ll try and keep it concise:
Here’s just one of many tragic examples of why the global XSS filter is a bad idea:
document.write123[removed]123Now, the user can log in with any of the following passwords, because those will also get turned into
[removed]123by the filter before you hash them to validate:<script>123document.write123document.cookie123That shouldn’t happen. A user shouldn’t be able to log in with multiple passwords (unless it’s by design… I suppose).
Also, good luck saving any of your blog posts that use
<iframe>s… YouTube videos for example.