I am working on a book listing website and have run into a problem with codeigniter's xss filtering. When the form is submitted to create a listing, any title that includes "Javascript:" gets replaced with "[REMOVED]". I have tried accessing the data from the POST array like this:
$title = $_POST['title'];
to avoid using the Input class but it is still somehow getting filtered. Is there any way around this that does not involve turning global_xss_filtering off?
Is there any way around this that does not involve turning global_xss_filtering off?
Nope, sorry. You have to turn it off because it alters the raw post data early in CI's execution.
I could rant for 5 pages about the proper use of the xss filter, but I'll try and keep it concise:
Here's just one of many tragic examples of why the global XSS filter is a bad idea:
document.write123[removed]123Now, the user can log in with any of the following passwords, because those will also get turned into [removed]123 by the filter before you hash them to validate:
<script>123document.write123document.cookie123That shouldn't happen. A user shouldn't be able to log in with multiple passwords (unless it's by design... I suppose).
Also, good luck saving any of your blog posts that use <iframe>s... YouTube videos for example.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 狗以群分 的文章《CodeIgniter input filtering》','https://www.manongdao.com/article-478150.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}