Codeigniter:使用< script>提交文本区域里面 [英] Codeigniter: Submit textarea with <script> inside

问题描述

由于我不知道该在哪里搜索-也许这里有人可以帮助我.

As I've no idea where to search for this - perhaps somebody here can help me.

我需要用户在文本区域中添加以下内容:

I need the user to add something like this in a textarea:

<script> var foo  bar; </script> 
<script type="text/javascript" src="http://foobar.de/mylist.js"></script>

但是Codeigniter似乎具有内置的代码注入保护-因此提交后我得到的只是:

But Codeigniter seems to have an in-built code-injection protection - so all I get after submission is:

[removed] var foo  bar; [removed] 
[removed][removed]

我该如何更改?我知道它是不安全的，但是我需要解析URL.

How could I change this? I know it's insecure, but I need to parse the URL out.

作为替代方案，我需要一个jQuery函数来解析此URL....而且我对regEx不太熟悉.^^

As alternative I need a jQuery function to parse this URL out.... and I'm not very familiar with regEx. ^^

我的PHP解析器如下(从^^处复制):

My PHP parser for this looks like this (copied from somewhere ^^):

$reg_exUrl = '/\b(?:(?:https?|ftp|file):\/\/|www\.|ftp\.)[-A-Z0-9+&@#\/%=~_|$?!:,.]*[A-Z0-9+&@#\/%=~_|$]/i';
if (preg_match($reg_exUrl, $_POST['code'], $matches)) {
        $jsUrl = $matches[0];
}

推荐答案

@Gavin的评论正常.可能是您没有看到它，因为脚本标记将使其不可见(如果您尝试 echo 或 print 结果).

@Gavin's comment works fine. It may be that you're not seeing it because the script tags will make it invisible (in the event you are trying to echo or print the result).

function index()
{
    echo form_open();
    echo form_textarea('test');
    echo form_submit('', 'Submit');
    echo form_close();

    if($this->input->post())
    {
        echo "<pre>";

        $textified = str_replace('<', '&lt;', $this->input->post('test', false));
        echo "textified string = $textified <br><br>";

        // find URL. Regex from http://stackoverflow.com/a/2721152/183254
        preg_match_all('/\b(?:(?:https?):\/\/|www\.|ftp\.)[-A-Z0-9+&@#\/%=~_|$?!:,.]*[A-Z0-9+&@#\/%=~_|$]/i', $textified, $result, PREG_PATTERN_ORDER);

        echo "URL in textified string: " . $result[0][0];
    }
}

---

似乎上面的内容取决于 $ config ['global_xss_filtering'] = FALSE; 的设置.当 $ config ['global_xss_filtering'] = TRUE; 时，所有字段都会被过滤，无论如何，选择性字段将无法通过过滤器.因此，如果您将上述设置为 TRUE ，则上述方法将无效.

It seems that the above is dependent on $config['global_xss_filtering'] = FALSE; being set. When $config['global_xss_filtering'] = TRUE;, all fields are filtered no matter what and there is no way to have selective fields not go through the filter. As such, the above won't work if it's set to TRUE as it seems to be in your case.

$ this-> input-> post()的默认值是XSS过滤为false，因此上面示例中的 false 多余，因为好吧.

The default for $this->input->post() is for XSS filtering to be false, so the false in the example above is redundant as well.

似乎唯一的方法是离开 $ config ['global_xss_filtering'] = FALSE; 并设置 $ this-> input-> post('filtered_item'，true); 在您要要 XSS过滤的所有输入字段上，并仅使用 $ this-> input-> post('unfiltered_item'); 用于需要脚本标记的字段.

It seems the only way to do it is to leave $config['global_xss_filtering'] = FALSE; and set $this->input->post('filtered_item', true); on all input fields where you do want XSS filtering on and use just $this->input->post('unfiltered_item'); for fields where you need the script tags.

http://ellislab.com/forums/viewthread/182774/#871558

这篇关于Codeigniter:使用< script>提交文本区域里面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！