CodeIgniter 2.1.4
After doing a little research about CodeIgniter's XSS protections, I decided to quickly and crudely test this by typing some random HTML into any input field on my CodeIgniter forms.
When I typed in <script>
, the page is redirected to the server's default 403 error ("Forbidden") page. It's not even a CodeIgniter error page.
I'm very glad that any input data containing <script>
is stopped, however, I'm not understanding why this is generating a 403 error page instead of a validation error, or at least pass the data with the offending parts stripped out.
I'm using htmlentities()
to convert the <
and >
but this makes no difference.
It doesn't even matter if implement the form validation. The input data of <script>
will generate a 403 error even without it.
Can anyone explain what's happening here and if I need to be worried out how this is being handled/redirected? To me it just seems like I should be getting some sort of CodeIgniter validation error or stripped down data rather than a 403 error.
Here is a concise version of one of my Controllers. (It's happening on all Controllers with data input fields.)
public function search($search_slug = NULL)
{
$this->load->library('form_validation');
$this->form_validation->set_rules('search-terms', 'Search Terms', 'xss_clean');
if ($this->input->post('search-terms') && ($this->form_validation->run() !== FALSE))
{
$search_slug = url_title(htmlentities($this->input->post('search-terms')), 'dash', FALSE);
}
if ($search_slug !== NULL)
{
$search_terms = preg_replace('/-/', ' ', $search_slug);
$query = // get my results from model;
if ($query['count'] > 0)
{
$data['results'] = $query['results'];
}
else
{
$data['results'] = '<h3>Sorry, nothing found.</h3>';
}
}
else
{
$data['results'] = '<h3>Please enter your search terms.</h3>';
}
$this->template->load('default', 'search', $data);
}