There is an issue in the xss_clean function where it might be a little over aggressive in stripping content.
when you run the string "100% becomes" through the xss_clean function the section on lines 377-387 strip out "% be" and the string becomes " 100锟絚omes" this happens in any instance where the 2 characters following a percent are a-f 0-9.
I understand what this is preventing, and I'm assuming that it considers the space for good reason. So I'm not overly sure what the solution here would be.
Inconvenient, indeed. But I don't see a way around #4877 without this ...
Well if that is the case wouldn't limiting the replacement to within a tag, or within a parameter inside a tag solve the issue?
That's easier said than done, and while the example in #4877 uses an attribute value, it is not really clear if that's the only vector ...
Hi guys and gals,
I know this issue was closed a while back already, but is there anyway you could maybe look into this again?
I'm hitting this bug because I'm trying to sanitize a rich text field, but now people can't type % in their text, because it creates weird utf-8 characters.
see my ticket at graham campbells security package
@Zae Refer to my previous comment ... Until it is proven that this is only limited to attribute values, it's not changing.
This sucks...I'm making work arounds on this but don't know if will affect security.
No solutions yet?
well seems guys from opensourcepos received same response .... "works for me" -> wont-fix!