CODEWITHSUNDEEP
phphtmlcodeigniter
christian.thomas
christian.thomas

Reputation: 1122

POST Data is being stripped of HTML Entities

I've got a standard login form submitting data to a Codeigniter function to do the authentication.. Problem is, the data seems to be being stripped of HTML Entities before it even hits the function.. Now, correct me if I'm wrong, but I'd have thought that the parameters in config.php were just relevant to Codeigniter functions, I.E. It would be relevant to $this->input->post NOT $_POST.. Eitherway, in my config.php I've got

$config['global_xss_filtering'] = FALSE;

If I submit the form, the data that I'm submitting in the input fields is:

$_POST['user'] = 'user';
$_POST['password'] = 'password%100';

For reference, my form opening tag is:

<form method="POST" action="<?=site_url('/log-in')?>">

I've done the following function to test the data:

echo "<pre>";
print_r($_POST);
echo sha1('userpassword%100') . '<br />';
echo sha1($_POST['username'] . $_POST['password']) . '<br />';
echo sha1($this->input->post('username', FALSE) . $this->input->post('password', FALSE)) . '<br />';
echo "</pre>";

Which gives an output of:

Array
(
    [username] => user
    [password] => password0
)
ad45e6412dd3cec23e47bbb48c874cdcfd6d39e7
fa3279bde5d6aba9ed77c6e5b071ff8dde741b92
fa3279bde5d6aba9ed77c6e5b071ff8dde741b92

So the top hash is the one that is correct, but the actual data being passed through seems to strip out html entities, I.E. %10 from the password field - $_POST['password'] should be password%100 NOT password0

Can anyone advise me on how to get the correct, un-escaped data?

Thanks in advance, Christian

Upvotes: 1

Views: 1844

Answers (2)

christian.thomas
christian.thomas

Reputation: 1122

On line 568 of /system/core/Input.php move the remove_invisible_characters function into the $this->_enable_xss === TRUE statement.

Previously:

    // Remove control characters
    $str = remove_invisible_characters($str);

    // Should we filter the input data?
    if ($this->_enable_xss === TRUE)
    {
        $str = $this->security->xss_clean($str);
    }

Now:

    // Should we filter the input data?
    if ($this->_enable_xss === TRUE)
    {
        // Remove control characters
        $str = remove_invisible_characters($str);

        $str = $this->security->xss_clean($str);
    }

Hope that helps some others!

Upvotes: 0

Pramod Kumar Sharma
Pramod Kumar Sharma

Reputation: 8012

I have also face almost same problem and in that i use $_REQUEST method and its works for me. Please try this hopefully this will help you.

Upvotes: 6

Related Questions