Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
security issue?
  • Ok, this is my second day using FuelPHP, I come from codeigniter (as many) searching for a framework that suits my taste (more than my needs) And I tried something that in CI would not happen (unless you touch the config) I have a controller, and a method recieves something, lets say
    public function action_world($name = '') {
      $this->response->body($name);
     }
    

    But see what happens if as $name I recieve something between h1 tags like: <h1>Tomas</h1> It won't clean anything, I tried echoing Security::xss_clena($name) and I always get the same thing (not working even with script tag) so here is the problem, in CI you have some chars that are "whitelisted" and IMHO you should do the same, maybe I'm missing something but I don't think so, I checked the config.php file and everything is ok :) htmlentities is set for uri_filter
    BTW I've tried DooPHP also and I like you both :) something that they do better than you is commenting every function of the framework, you can build an api browser with phpdoc util, as suggestion, maybe you should change request/response tipe from object to the right class so we can use code hinting features on IDE's rather than reading the docs online, and also use phpdoc in those classes as they are missing it
  • We use only output encoding by default which is done by views (check the docs), the output you add to the body should already be cleaned and not need any further cleaning. XSS cleaning cleans up unwanted javascripts and other dangerous stuff, it will not clean out HTML markup. If you prefer input filtering over output filtering: find and configure the settings in app/config/config.php - but output encoding through Views will remain the default.
  • Ok, I tried with config 'input_filter' => array('htmlentities') but doesn't filter anything, I just though that uri_filter actually had to solve this 'uri_filter' => array('htmlentities')
  • You're right, I checked and Security::clean_uri() isn't called anywhere - must have gotten lost during the routing rewrite. We'll look into this ASAP!
  • this is great! really! I'm happy to see how fast it was updated :) some other projects don't take too serious about security... I remember opencart, joomla and... well xD long story Thank you!

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion