Reputation: 12189
CodeIgniter URL security
Are URI/URLs escaped in CI when used like so?
function foo($url_arg)
$this->input->get('foo');
Upvotes: 0
Views: 779
Answers (2)
Reputation: 11
You can enable csrf protection by opening your application/config/config.php file and setting this:
$config['csrf_protection'] = TRUE;
Upvotes: 1
Reputation: 21575
Your example contains 2 different types of inputs - a URI segment (the argument passed to foo()) and a GET array item named foo.
The URI class contains a private method called _filter_uri that, as you may have guessed, takes care of filtering the URI. First, it will check the $config['permitted_uri_chars'] item located in config.php and remove any character not defined there. Regardless of what is defined there, however, it will also do the following:
// Convert programatic characters to entities
$bad = array('$', '(', ')', '%28', '%29');
$good = array('$', '(', ')', '(', ')');
return str_replace($bad, $good, $str);
Check out the URI class source for more information.
Regarding the GET array item, if $config['allow_get_array'] (again, located in config.php) is set to FALSE, the GET array will be completely destroyed. $this->input->get('foo'), by default, permits "only alpha-numeric (and a few other) characters". If a 2nd paramater of TRUE is included, CodeIgniter will run the value(s) through its XSS filter.
Upvotes: 3
Related Questions
- How to encode/decode url in codeigniter
- Is there a way to encode CodeIgniter url?
- How do you allow URI encoded characters in CodeIgniter URLs?
- Issue with permitted_uri_chars in CodeIgniter
- CodeIgniter urlencode/decode
- permitted_uri_chars in codeigniter
- Codeigniter URI error with permitted characters
- permitted_uri_chars codeigniter
- Is codeigniter's url encoding here necessary?
- URL encode incoming URL with CI