doushang1778 2015-10-26 17:14
浏览 74
已采纳

CodeIgniter表单上的XSS过滤

I am currently learning the framework "CodeIgniter". But I have a problem for my Form validation. First, let me show you my view :

<form method="post" action="connexion">
  <label for="pseudo">Pseudo : </label>
  <input type="text" name="pseudo" value="" />

  <label for="mdp">Mot de passe :</label>
  <input type="password" name="mdp" value="" />

  <input type="submit" value="Envoyer" /></form>

My controller :

public function connexion()
{
    $this->load->library('form_validation');

    $this->form_validation->set_rules('pseudo', '"user name"', 'trim|required|min_length[5]|max_length[52]|alpha_dash|encode_php_tags|xss_clean');
    $this->form_validation->set_rules('mdp',    '"password"',       'trim|required|min_length[5]|max_length[52]|alpha_dash|encode_php_tags|xss_clean');

    if($this->form_validation->run())
    {
        $this->load->view('connexion_ok');
    }
    else
    {
        $this->load->view('form');
    }
}

When I remove the "xss_clean" filter in my controller in the set_rules(), it works perfectly, the form is valid. If the "xss_clean" is present, it doesn't work, it goes in the else. I don't use special chars in my input, only letters.

In the settings I put this on true : $config['global_xss_filtering'] = TRUE;

I read somewhere the "xss_clean" filter is useless. What else can I use ? Maybe helpers or something else ? Thank you

  • 写回答

2条回答 默认 最新

  • douxian1895 2015-10-26 18:28
    关注

    First of all set $config['global_xss_filtering'] = FALSE; You don't need or want this on all the time. This config setting is officially deprecated. It will likely disapear in the future.

    Second, if you are using version 3.0.x then remove ‘xss_clean’ from your validation rules. It is not on the officially supported list of form validation rules.

    The place where you can employ XSS filtering is when using the Input Class to fetch data from POST, GET, COOKIE or SERVER. Most of the input methods have a second param that enables running the data through xss_clean(). Example: $this->input->post('some_data', TRUE); Will get the value of $_POST['some_data']and run it through xss_clean(). If the second param is FALSE (or omitted) xss_clean() will not be used.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 angular项目错误
  • ¥20 需要帮我远程操控一下,运行一下我的那个代码,我觉得我无能为力了
  • ¥20 有偿:在ubuntu上安装arduino以及其常用库文件。
  • ¥15 请问用arcgis处理一些数据和图形,通常里面有一个根据点划泰森多边形的命令,直接划的弊端是只能执行一个完整的边界,但是我们有时候会用到需要在有很多边界内利用点来执行划泰森多边形的命令
  • ¥30 在wave2foam中执行setWaveField时遇到了如下的浮点异常问题,请问该如何解决呢?
  • ¥750 关于一道数论方面的问题,求解答!(关键词-数学方法)
  • ¥200 csgo2的viewmatrix值是否还有别的获取方式
  • ¥15 Stable Diffusion,用Ebsynth utility在视频选帧图重绘,第一步报错,蒙版和帧图没法生成,怎么处理啊
  • ¥15 请把下列每一行代码完整地读懂并注释出来
  • ¥15 寻找公式识别开发,自动识别整页文档、图像公式的软件