Codeigniter: xss_clean security library

Created on 19 May 2017  路  8Comments  路  Source: bcit-ci/CodeIgniter

There is an issue in the xss_clean function where it might be a little over aggressive in stripping content.

when you run the string "100% becomes" through the xss_clean function the section on lines 377-387 strip out "% be" and the string becomes " 100锟絚omes" this happens in any instance where the 2 characters following a percent are a-f 0-9.

I understand what this is preventing, and I'm assuming that it considers the space for good reason. So I'm not overly sure what the solution here would be.

All 8 comments

Inconvenient, indeed. But I don't see a way around #4877 without this ...

Well if that is the case wouldn't limiting the replacement to within a tag, or within a parameter inside a tag solve the issue?

That's easier said than done, and while the example in #4877 uses an attribute value, it is not really clear if that's the only vector ...

4877 hot-fix is terrible idea. should check ahead if in attribute value first

Hi guys and gals,

I know this issue was closed a while back already, but is there anyway you could maybe look into this again?

I'm hitting this bug because I'm trying to sanitize a rich text field, but now people can't type % in their text, because it creates weird utf-8 characters.

see my ticket at graham campbells security package

@Zae Refer to my previous comment ... Until it is proven that this is only limited to attribute values, it's not changing.

This sucks...I'm making work arounds on this but don't know if will affect security.

No solutions yet?

well seems guys from opensourcepos received same response .... "works for me" -> wont-fix!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Struki84 picture Struki84  路  7Comments

Rverm picture Rverm  路  6Comments

huehnerhose picture huehnerhose  路  6Comments

boblennes picture boblennes  路  4Comments

mckaygerhard picture mckaygerhard  路  4Comments