New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple possible XSS vulnerabilities #2010
Comments
|
Hello. Thank you for the warning. The sanitization is done by the framework. Were you able to inject a script? |
|
Thank you for your response. The default configuration in CodeIgniter after running the composer doesn't do the sanitization. So after running the command /*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
| WARNING: This feature is DEPRECATED and currently available only
| for backwards compatibility purposes!
|
*/
$config['global_xss_filtering'] = FALSE;Thus, if the developer run the composer then use the application without changing the configuration, he will face many XSS vulnerabilities in the application. The other option is to force that the sanitization should be applied at the input. Post in CI $this->input->post('key', TRUE); // XSS Clean
$this->input->post('key', FALSE); // No XSS filterFinally, CodeIgniter mention that Global XSS Filtering is DEPRECATED and it is better to apply the sanitization at the output not the input. XSS filtering in CI
|
|
Hello, If you agree with me that if the user will run the composer then the xss filer configuration will be FALSE. |
|
Esta issue está obsoleta porque está aberta há 30 dias sem atividade. Remova o rótulo ou esse comentário ou essa issue será fechada em 5 dias |
Hello,
I would like to report for some XSS vulnerabilities.
For example,
'telefone' is saved in the DB, then it is retrieved and printed in the view.
In file mapos-master\application\controllers\Clientes.php
In file mapos-master\application\controllers\Relatorios.php
In file
Another example,
In file mapos-master\application\views\arquivos\arquivos.php
If you agree with the vulnerabilities, I will report the other vulnerabilities.
The text was updated successfully, but these errors were encountered: