CodeIgniter输入过滤 [英] CodeIgniter input filtering

问题描述

我正在一个图书列表网站，并遇到了codeigniter的xss过滤的问题。提交表单以创建商家信息时，包含Javascript：的任何标题都将替换为[REMOVED]。我试着从POST数组访问数据，像这样：

I am working on a book listing website and have run into a problem with codeigniter's xss filtering. When the form is submitted to create a listing, any title that includes "Javascript:" gets replaced with "[REMOVED]". I have tried accessing the data from the POST array like this:

$title = $_POST['title'];

以避免使用Input类，但仍然以某种方式被过滤。是否有任何方法，不涉及将global_xss_filtering关闭？

to avoid using the Input class but it is still somehow getting filtered. Is there any way around this that does not involve turning global_xss_filtering off?

推荐答案

围绕这一点，不涉及关闭global_xss_filtering？

Is there any way around this that does not involve turning global_xss_filtering off?

不，对不起。你必须关闭它，因为它在CI的执行早期改变原始的post数据。

Nope, sorry. You have to turn it off because it alters the raw post data early in CI's execution.

我可以关于正确使用xss过滤器5页，但我请尝试保持简洁：

I could rant for 5 pages about the proper use of the xss filter, but I'll try and keep it concise:

• 过滤输出，不输入


• 始终保持上下文并适当转义（这是HTML？SQL？javascript？文本文件？）


• 全局过滤器是一个安全毯。

• Filter output, not input
• Always keep the context in mind and escape appropriately (is this HTML? SQL? javascript? text file?)
• The global filter is a security blanket. You can remove it once you know what you're doing.

这里只是众多悲剧性例子之一，为什么全局XSS过滤器是一个坏主意：

Here's just one of many tragic examples of why the global XSS filter is a bad idea:

• 用户注册一个帐户，并将密码设置为 document.write123


• 您处理密码，最后散列字符串 [removed] 123



• 现在，用户可以使用以下任一密码登录，因为这些密码也将被过滤器转换为 [removed] 123 您将其哈希以验证：

• A user signs up for an account, and sets his password to document.write123
• You process the password, and end up hashing the string [removed]123

• Now, the user can log in with any of the following passwords, because those will also get turned into [removed]123 by the filter before you hash them to validate:

• < script> 123


• document.write123


• document.cookie123


• etcetera ...

• <script>123
• document.write123
• document.cookie123
• etcetera...

不应发生。用户不应该能够使用多个密码登录（除非按照设计...我想是）。

That shouldn't happen. A user shouldn't be able to log in with multiple passwords (unless it's by design... I suppose).

此外，好运可以节省您的任何博客文章使用< iframe> s ...例如YouTube视频。

Also, good luck saving any of your blog posts that use <iframe>s... YouTube videos for example.

这篇关于CodeIgniter输入过滤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！