Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP


Avoiding sanitizing of the POST data. #1136

stpetr opened this Issue · 6 comments

6 participants


Unfortunately, there is no way to avoid sanitizing of the POST data which is desperately needed. On my app when a user sets a password which includes "%00" substring (or something like that), f.e. "foo%00bar" I can see only the "foobar" string in my model. I think it's because of _sanitize_globals function which is called in Input constructor.


It is within _sanitize_globals, more specifically within remove_invisible_chars. Can anyone confirm this is intended behavior, it also seems to be wrapped in a function_exists tag so it could possibly be overwritten in scenarios like this?


I believe that the bug is in the function "_clean_input_data($str)". The bug is this line:

// Remove control characters
$str = remove_invisible_characters($str);

It should be:

// Remove control characters
$str = remove_invisible_characters($str, false);

The $_POST, $_GET, and $_COOKIE variables are not urlencoded, but remove_invisible_characters assume that it is and will remove characters such as "%00" unless the url_encoded parameter is set to false.

Because the $_REQUEST variables are not cleaned, you can use $_REQUEST in replace of $_POST.


Duplicate of #346.

@narfbg narfbg closed this

I don't think this is really a duplicate of #346. This issue exists even when global XSS filtering is turned off. The constructor for the Input class unconditionally calls _sanitize_globals, which unconditionally calls _clean_input_data on each $_POST value, which unconditionally calls remove_invisible_characters with $url_encoded = true. As OP points out, this makes it impossible to submit a string in a form that contains "%00" or anything like this. This is clearly incorrect behaviour.


I agree, you should be able to disable this, especially for things like passwords


Sorry, it was a duplicate of #148 instead - just fixed it.

@narfbg narfbg referenced this issue in benedmunds/CodeIgniter-Ion-Auth

Edit User fails to update Groups in Codeigniter 3 #683

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.