Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Is there CI $config['permitted_uri_chars'] analog in Fuelphp?
  • vedmakavedmaka
    Hi!
    I've just fresh-installed Fuelphp & trying "hello" demo. I've noticed if i GET: http://server.local/hello/jack<b>haha</b> the output is secure & html tags encoded, but what if i want only 0-9a-zA-Z in url and nothing else? Is there in Fuel something like permitted_uri_chars in Codeignighter ?
  • kenjiskenjis
    WanWizard wrote on Tuesday 6th of December 2011:
    No, there is not. FuelPHP is a lot more flexible than that. In your config/config.php, in the 'security' section, there is an entry called 'uri_filter'. By default, it only contains htmlentities, but you can add anything that is callable, such as object or static class methods, or other PHP functions. You could add strip_tags to simply strip them, of write a custom class method that mimics CI's behaviour (i.e. use a regex, and throw an error if it doesn't match).

    uri_filter's mechanism is great. But I have a question to the default. Is the FuelPHP's default uri_filter, htmlentities really needed? If we output uri data in view, FuelPHP's default output_filter escapes them.
    If we output uri data to email, the recipient would see like "H& amp;M"(I intentionally added a space after &, because this forum can't handle HTML character references as it is) and it is not good.
    So I can't see the reason that the htmlentities is needed in FuelPHP. Or, if we delete it in config.php, what risk do we take?
    P.S.
    This forum is something wrong with my Firefox. The page layout is a bit broken. I could not post new topic. Added: I'm sorry. New Topic button is below and works fine. I'll post new topic.
  • Jelmer SchreuderJelmer Schreuder
    No, because it doesn't add any security over the above and is thus useless. This way any such input as your example will 404 just like any other invalid input, which is prefereable over any hard security error that Fuel would generate and would limit your ability to handle the problem.
  • HarroHarro
    No, there is not. FuelPHP is a lot more flexible than that. In your config/config.php, in the 'security' section, there is an entry called 'uri_filter'. By default, it only contains htmlentities, but you can add anything that is callable, such as object or static class methods, or other PHP functions. You could add strip_tags to simply strip them, of write a custom class method that mimics CI's behaviour (i.e. use a regex, and throw an error if it doesn't match).
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion