kenjis
commented
11 months ago Using xss_clean() is a bad practice in the past.
See https://forum.codeigniter.com/showthread.php?tid=75338&pid=371462#pid371462
Open pascaadryan opened 11 months ago
kenjis
commented
11 months ago Using xss_clean() is a bad practice in the past.
See https://forum.codeigniter.com/showthread.php?tid=75338&pid=371462#pid371462
I think I found a problem with xss_clean function. I this code section (Security.php):
f (stripos($str, '%') !== false) { do { $oldstr = $str; $str = rawurldecode($str); $str = preg_replace_callback('#%(?:\s*[0-9a-f]){2,}#i', [$this, '_urldecodespaces'], $str); } while ($oldstr !== $str); unset($oldstr); }
I have an input text, I send the following string: 60% acqua via post. If you try to encode UTF8 the result is 60¬qua because the blanks are removed and the utf8_encode found %ac and makes the conversion into ¬ . The issue is when a sequence of chars identifies ASCII CODE (for example: 90% cars is converted in 90Êrs).
I have changed f (stripos($str, '%') !== false) { in if (preg_match('~%[0-9A-F]{2}~i', $str) > 0) { to check if the string is an urlecoded. It works but I'm not sure 100% that is correct.