PHP: The Right Way
James Kettle upcoming talks & research portfolio
Latest Posts – Jack
Latest Posts – Jack
sneak
raptium's | raptium's another weblog
Description: My name is Neal Poole. I'm interested in web application security.
The CodeIgniter framework contains a function, xss_clean() , which is intended to filter out potential XSS attacks. From the CodeIgniter documentation :
The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.
I identified a form of malicious input that would bypass the xss_clean() filtering, allowing for arbitrary JavaScript to be executed. The vulnerability has been patched in CodeIgniter 2.1.4. Any developers relying on xss_clean() as a form of protection should upgrade their application to the latest version of the framework.
PHP: The Right Way
James Kettle upcoming talks & research portfolio
Latest Posts – Jack
Latest Posts – Jack
sneak
raptium's | raptium's another weblog