doushang1778 2015-10-26 17:14
浏览 74
已采纳

CodeIgniter表单上的XSS过滤

I am currently learning the framework "CodeIgniter". But I have a problem for my Form validation. First, let me show you my view :

<form method="post" action="connexion">
  <label for="pseudo">Pseudo : </label>
  <input type="text" name="pseudo" value="" />

  <label for="mdp">Mot de passe :</label>
  <input type="password" name="mdp" value="" />

  <input type="submit" value="Envoyer" /></form>

My controller : 

public function connexion()
{
    $this->load->library('form_validation');

    $this->form_validation->set_rules('pseudo', '"user name"', 'trim|required|min_length[5]|max_length[52]|alpha_dash|encode_php_tags|xss_clean');
    $this->form_validation->set_rules('mdp',    '"password"',       'trim|required|min_length[5]|max_length[52]|alpha_dash|encode_php_tags|xss_clean');

    if($this->form_validation->run())
    {
        $this->load->view('connexion_ok');
    }
    else
    {
        $this->load->view('form');
    }
}

When I remove the "xss_clean" filter in my controller in the set_rules(), it works perfectly, the form is valid. If the "xss_clean" is present, it doesn't work, it goes in the else. I don't use special chars in my input, only letters.

In the settings I put this on true : $config['global_xss_filtering'] = TRUE;

I read somewhere the "xss_clean" filter is useless. What else can I use ? Maybe helpers or something else ? Thank you

  • 写回答

2条回答 默认 最新

  • douxian1895 2015-10-26 18:28
    关注

    First of all set $config['global_xss_filtering'] = FALSE; You don't need or want this on all the time. This config setting is officially deprecated. It will likely disapear in the future.

    Second, if you are using version 3.0.x then remove ‘xss_clean’ from your validation rules. It is not on the officially supported list of form validation rules.

    The place where you can employ XSS filtering is when using the Input Class to fetch data from POST, GET, COOKIE or SERVER. Most of the input methods have a second param that enables running the data through xss_clean(). Example: $this->input->post('some_data', TRUE); Will get the value of $_POST['some_data']and run it through xss_clean(). If the second param is FALSE (or omitted) xss_clean() will not be used.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
  • druhoytza979667566 2017-06-28 18:43
    关注

    I don't agree with DFriend's answer.

    Per CodeIgniter documentation:

    XSS escaping should be performed on output, not input!

    So the solution he proposed would actually do the same of the deprecated global configuration $config['global_xss_filtering'] = TRUE;, with the difference of adding much more code and manual work to add an extra bollean parameter for each $this->input->post.

    The proper way is to use the set_value on your views:

    <input type="password" name="mdp" value="<?=set_value('mdp')?>" />

    This function filters XSS vulnerabilities by default:

    set_value($field[, $default = ''[, $html_escape = TRUE]])

    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 C语言字符串不区分大小写字典排序相关问题
  • ¥15 关于#python#的问题:我希望通过逆向技术爬取1688搜索页下滑加载的数据
  • ¥15 学习C++过程中遇到的问题
  • ¥15 关于Linux的终端里,模拟实现一个带口令保护的屏保程序遇到的输入输出的问题!(语言-c语言)
  • ¥15 学习C++过程中遇到的问题
  • ¥15 请问,这个嵌入式Linux系统怎么分析,crc检验区域在哪
  • ¥15 二分类改为多分类问题
  • ¥15 Unity微信小游戏上调用ReadPixels()方法报错
  • ¥15 如何通过求后验分布求得样本中属于两种物种其中一种的概率?
  • ¥15 q从常量变成sin函数,怎么改写python代码?