Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
security issue?
  • nakpnakp
    Ok, this is my second day using FuelPHP, I come from codeigniter (as many) searching for a framework that suits my taste (more than my needs) And I tried something that in CI would not happen (unless you touch the config) I have a controller, and a method recieves something, lets say
    public function action_world($name = '') {
  $this->response->body($name);
 }

    But see what happens if as $name I recieve something between h1 tags like: <h1>Tomas</h1> It won't clean anything, I tried echoing Security::xss_clena($name) and I always get the same thing (not working even with script tag) so here is the problem, in CI you have some chars that are "whitelisted" and IMHO you should do the same, maybe I'm missing something but I don't think so, I checked the config.php file and everything is ok :) htmlentities is set for uri_filter
    BTW I've tried DooPHP also and I like you both :) something that they do better than you is commenting every function of the framework, you can build an api browser with phpdoc util, as suggestion, maybe you should change request/response tipe from object to the right class so we can use code hinting features on IDE's rather than reading the docs online, and also use phpdoc in those classes as they are missing it
  • Jelmer SchreuderJelmer Schreuder
    We use only output encoding by default which is done by views (check the docs), the output you add to the body should already be cleaned and not need any further cleaning. XSS cleaning cleans up unwanted javascripts and other dangerous stuff, it will not clean out HTML markup. If you prefer input filtering over output filtering: find and configure the settings in app/config/config.php - but output encoding through Views will remain the default.
  • nakpnakp
    Ok, I tried with config 'input_filter' => array('htmlentities') but doesn't filter anything, I just though that uri_filter actually had to solve this 'uri_filter' => array('htmlentities')
  • Jelmer SchreuderJelmer Schreuder
    You're right, I checked and Security::clean_uri() isn't called anywhere - must have gotten lost during the routing rewrite. We'll look into this ASAP!
  • Jelmer SchreuderJelmer Schreuder
    Dan fixed it
  • nakpnakp
    this is great! really! I'm happy to see how fast it was updated :) some other projects don't take too serious about security... I remember opencart, joomla and... well xD long story Thank you!
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion