Hey guys im blind here...

Im sending data to the controller to be processed... It works... except when a send two types of words... they are <script> and <scripting>

Example:

Input 1: <javascript>
Input 2: <js>

click SUBMIT (retuns no problem)

Array
(

    [answers] => Array
        (
            [0] => Array
                (
                    [answer] => <javascript>
                    [points_answer] => 0
                )

            [1] => Array
                (
                    [answer] => <js>
                    [points_answer] => 0
                )

        )

)

Now when I add:
Example:

Input 1: <javascript>
Input 2: <js>
Input 3: <script> or <scripting>

Click Submit : AND BLANK! I try error reporting, var_dump, bla bla bla... NOTHING shows up, unless I remove from the input <script> or <scripting> and submit again... no issue...

I reading the info like this :

for ($y = $new_awnser; $y <= $answers_count; $y++) {


                        $answer[] = array(
                            'answer' => htmlentities($_POST['answer'][$y]),
                            'points_answer' => $_POST['points'][$y]
                        );
                    }

THe post does send data:

quizname	JavaScript Quiz
description	Test your Javascript knowledge
file_upload	
image	1320671019-image3[1].png
id[]	32
name[]	dasdas
from[]	21
to[]	213
descriptionn[]	dasdsad
outcome_count	1
question[]	Inside which HTML element do we put the JavaScript?
answer[]	<javascript>
points[]	32
answer[]	fsdfsd
points[]	43
answer[]	<scripting>
points[]	42
answers_count[]	2
questions_count	0
publish	0

Recommended Answers

All 13 Replies

Are you sure XSS filtering is not enabled?

global_xss_filtering is False… by default…

No solution found…

Anyone with the system and a form can u try submiting the word

<script>

or

<scripting>

and see if it gives you a blank page?

Thanks…

Tried in every form I have and it gives the same blank page… I thougth it could be my code… but every single form, thats just a bit too much…

global_xss_filtering is False… by default…

No solution found…

Anyone with the system and a form can u try submiting the word

<script>

or

<scripting>

and see if it gives you a blank page?

Thanks…

Tried in every form I have and it gives the same blank page… I thougth it could be my code… but every single form, thats just a bit too much…

Check again. That sounds to me XSS filtering is enabled. can you post your code?

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = FALSE;

and

var_dump($this->config->item("global_xss_filtering"));
           exit;

result

bool(false)

When I put in a

<script> or <Scripting>

nothing shows! just blank...
Can you try and see if you have the same issue?

Thanks

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = FALSE;

and

var_dump($this->config->item("global_xss_filtering"));
           exit;

result

bool(false)

When I put in a

<script> or <Scripting>

nothing shows! just blank...
Can you try and see if you have the same issue?

Thanks

Global might be off but you can specify it during sending. Please post your form code

Hmm.. after soem reseacrh I found out it's not CI but the Server that is blocking assuming that is a CrossSite scripting....

I have to somehow url_encode the post data in order to pass the info... Any ideias?

How will I encode the input of the user?

I have something like :

<?php
$attributes = array('class' => 'outcomes', 'id' => 'myform');

echo form_open_multipart('manage/quiz/step2', $attributes);
?>
                           <div id="accordion_tab3">
                <?php
                $questions_count = 0;
                $a = 1;
                foreach ($questions as $q) {
                    $questions_count = $questions_count+1;
                    ?>
                    <div class="questions_accord">
                        <h3><a href="#" class="questionNumber">Question <?php echo $a; ?></a></h3>
                        <div>

                            <div id="stylized" class="myform">

                                <div id="fieldset_innerbox">


                                    <label>Question
                                        <span class="small"></span>
                                    </label>
                                    <input type="text"  class="required" name="question[]" value="<?php echo $q['question']; ?>" size="50" />
                                    <label>Add Anwsers
                                        <span class="small"></span>
                                    </label>
                                    <div id="addNewA"><a href="" class="addNewAnswers" info="<?php echo $a-1; ?>">Add Another Awnser</a></div>
                                    <label>Answers - Points
                                        <span class="small">Insert the Answers and Points</span>
                                    </label>
                                </div>
                                <ul id="sortable" class="sort<?php echo $a-1; ?>">
                                    <?php
                                    $answers_count = 0;
                                    foreach ($q["answer"] as $ans) {
                                        ?>
                                        <li class="ui-state-default apli" >
                                            <img src="<?php echo base_url(); ?>_assets/images/admin/arrow.png" alt="move" width="16" height="16" class="handle" />
                                            <input type="text"  class="required question1 question" name="answer[]" value="<?php echo $ans->answer; ?>" size="50" />
                                            <input type="text"  class="required points1 points" name="points[]" value="<?php echo $ans->points_answer; ?>" size="20" />
                                            <img src="<?php echo base_url(); ?>_assets/images/admin/Delete.png" alt="delete" width="16" height="16" info="<?php echo $a-1;?>" class="delete_handle" />
                                        </li>
                                        <?php
                                        $answers_count = $answers_count + 1;
                                    }
                                    ?>
                                </ul>
                            </div>
                            <input type="hidden" name="answers_count[]" id="answers_count<?php echo $a-1; ?>" value="<?php echo $answers_count-1; ?>"/>
                            <a href="" class="removeQuestion"></a>
                        </div>

                    </div>
                    <?php
                    $a = $a + 1;
                    
                }
                ?>
            </div>
</form>

what exactly you want to encode? Following links there are examples

the user inputs

<script> or <scripting> or whatever trigger the xss

this is what I have to encode... :S

Fixed...

Had to use JS before submit:

$('#myform').submit(function(e) {
        

            $('#tabs-3 :input').each(function() {
                var t = encodeURIComponent($(this).val().toString());
                $(this).val(t)
                   

            });

        });

and php to decode and stro correctly in DB

for ($y = $new_awnser; $y <= $answers_count; $y++) {

//htmlentities(element($y, $this->input->post("answer", FALSE)))
                        $answer[] = array(
                            'answer' => htmlentities(urldecode($_POST['answer'][$y])),
                            'points_answer' => $_POST['points'][$y]
                        );
                    }
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.