0

Hey guys im blind here...

Im sending data to the controller to be processed... It works... except when a send two types of words... they are <script> and <scripting>

Example:

Input 1: <javascript>
Input 2: <js>

click SUBMIT (retuns no problem)

Array
(

    [answers] => Array
        (
            [0] => Array
                (
                    [answer] => <javascript>
                    [points_answer] => 0
                )

            [1] => Array
                (
                    [answer] => <js>
                    [points_answer] => 0
                )

        )

)

Now when I add:
Example:

Input 1: <javascript>
Input 2: <js>
Input 3: <script> or <scripting>

Click Submit : AND BLANK! I try error reporting, var_dump, bla bla bla... NOTHING shows up, unless I remove from the input <script> or <scripting> and submit again... no issue...

I reading the info like this :

for ($y = $new_awnser; $y <= $answers_count; $y++) {


                        $answer[] = array(
                            'answer' => htmlentities($_POST['answer'][$y]),
                            'points_answer' => $_POST['points'][$y]
                        );
                    }

THe post does send data:

quizname	JavaScript Quiz
description	Test your Javascript knowledge
file_upload	
image	1320671019-image3[1].png
id[]	32
name[]	dasdas
from[]	21
to[]	213
descriptionn[]	dasdsad
outcome_count	1
question[]	Inside which HTML element do we put the JavaScript?
answer[]	<javascript>
points[]	32
answer[]	fsdfsd
points[]	43
answer[]	<scripting>
points[]	42
answers_count[]	2
questions_count	0
publish	0
2
Contributors
13
Replies
14
Views
5 Years
Discussion Span
Last Post by Stefano Mtangoo
0

global_xss_filtering is False… by default…

No solution found…

Anyone with the system and a form can u try submiting the word

<script>

or

<scripting>

and see if it gives you a blank page?

Thanks…

Tried in every form I have and it gives the same blank page… I thougth it could be my code… but every single form, thats just a bit too much…

Edited by ALFA-FOXTROT: n/a

0

global_xss_filtering is False… by default…

No solution found…

Anyone with the system and a form can u try submiting the word

<script>

or

<scripting>

and see if it gives you a blank page?

Thanks…

Tried in every form I have and it gives the same blank page… I thougth it could be my code… but every single form, thats just a bit too much…

Check again. That sounds to me XSS filtering is enabled. can you post your code?

0
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = FALSE;

and

var_dump($this->config->item("global_xss_filtering"));
           exit;

result

bool(false)

When I put in a

<script> or <Scripting>

nothing shows! just blank...
Can you try and see if you have the same issue?

Thanks

0
/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = FALSE;

and

var_dump($this->config->item("global_xss_filtering"));
           exit;

result

bool(false)

When I put in a

<script> or <Scripting>

nothing shows! just blank...
Can you try and see if you have the same issue?

Thanks

Global might be off but you can specify it during sending. Please post your form code

0

Hmm.. after soem reseacrh I found out it's not CI but the Server that is blocking assuming that is a CrossSite scripting....

I have to somehow url_encode the post data in order to pass the info... Any ideias?

0

How will I encode the input of the user?

I have something like :

<?php
$attributes = array('class' => 'outcomes', 'id' => 'myform');

echo form_open_multipart('manage/quiz/step2', $attributes);
?>
                           <div id="accordion_tab3">
                <?php
                $questions_count = 0;
                $a = 1;
                foreach ($questions as $q) {
                    $questions_count = $questions_count+1;
                    ?>
                    <div class="questions_accord">
                        <h3><a href="#" class="questionNumber">Question <?php echo $a; ?></a></h3>
                        <div>

                            <div id="stylized" class="myform">

                                <div id="fieldset_innerbox">


                                    <label>Question
                                        <span class="small"></span>
                                    </label>
                                    <input type="text"  class="required" name="question[]" value="<?php echo $q['question']; ?>" size="50" />
                                    <label>Add Anwsers
                                        <span class="small"></span>
                                    </label>
                                    <div id="addNewA"><a href="" class="addNewAnswers" info="<?php echo $a-1; ?>">Add Another Awnser</a></div>
                                    <label>Answers - Points
                                        <span class="small">Insert the Answers and Points</span>
                                    </label>
                                </div>
                                <ul id="sortable" class="sort<?php echo $a-1; ?>">
                                    <?php
                                    $answers_count = 0;
                                    foreach ($q["answer"] as $ans) {
                                        ?>
                                        <li class="ui-state-default apli" >
                                            <img src="<?php echo base_url(); ?>_assets/images/admin/arrow.png" alt="move" width="16" height="16" class="handle" />
                                            <input type="text"  class="required question1 question" name="answer[]" value="<?php echo $ans->answer; ?>" size="50" />
                                            <input type="text"  class="required points1 points" name="points[]" value="<?php echo $ans->points_answer; ?>" size="20" />
                                            <img src="<?php echo base_url(); ?>_assets/images/admin/Delete.png" alt="delete" width="16" height="16" info="<?php echo $a-1;?>" class="delete_handle" />
                                        </li>
                                        <?php
                                        $answers_count = $answers_count + 1;
                                    }
                                    ?>
                                </ul>
                            </div>
                            <input type="hidden" name="answers_count[]" id="answers_count<?php echo $a-1; ?>" value="<?php echo $answers_count-1; ?>"/>
                            <a href="" class="removeQuestion"></a>
                        </div>

                    </div>
                    <?php
                    $a = $a + 1;
                    
                }
                ?>
            </div>
</form>

Edited by ALFA-FOXTROT: n/a

0

the user inputs

<script> or <scripting> or whatever trigger the xss

this is what I have to encode... :S

0

Fixed...

Had to use JS before submit:

$('#myform').submit(function(e) {
        

            $('#tabs-3 :input').each(function() {
                var t = encodeURIComponent($(this).val().toString());
                $(this).val(t)
                   

            });

        });

and php to decode and stro correctly in DB

for ($y = $new_awnser; $y <= $answers_count; $y++) {

//htmlentities(element($y, $this->input->post("answer", FALSE)))
                        $answer[] = array(
                            'answer' => htmlentities(urldecode($_POST['answer'][$y])),
                            'points_answer' => $_POST['points'][$y]
                        );
                    }
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.