I'm using the CodeIgniter PHP framework. I use JS to dynamically load a PHP page:
$('someIFrame').writeAttribute(
'src',
'/index.php/controller/method/' +
escape(userGeneratedString)
);
When I ran this, CodeIgniter gave me this error:
http://192.168.0.81/index.php/controller/method/dude%27s%20face
An Error Was Encountered
The URI you submitted has disallowed characters.
This is totally untrue because the URL in question did not contain any disallowed characters. My config file allows all the characters present in that URL:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()@\-';
So I got frustrated and just allowed all characters to prevent the error.
// Leave blank to allow all characters -- but only if you are insane.
// DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
//$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()@\-';
$config['permitted_uri_chars'] = '';
The warning message above this line sounds scary. What can possibly go wrong by allowing all characters? Will I get hacked?
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 混吃等死 的文章《Allowing any character in the URL in CodeIgniter》','https://www.manongdao.com/article-680843.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}