We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

[SOLVED] Allowing all URI characters

January 15, 2010 4:44pm

Subscribe [5]

  • #1 / Jan 15, 2010 4:44pm

    misplacedme

    25 posts

    I’m toying with codeigniter, and ran into an issue that I need an answer on.
    I’m wanting to have user-readable search queries based on the address (index.php/users/search/tom*)
    Of course, I get a message saying that I have illegal values in my URI.  I don’t want to base64 encode my strings, and the only thing I can think of to allow this is to allow all URI characters.

    What exactly are the repercussions of doing this?  As far as I can see, it will just mean I will need to do more sanitization than before.  Correct me if I’m wrong.

  • #2 / Jan 15, 2010 4:55pm

    Sbioko

    382 posts

    I will need to do more sanitization than before

    No you will not. Just do this 2 simple steps:
    1) Change permitted_uri_chars option in your config.php to this:

    $config['permitted_uri_chars'] = '';

    2) Then, Go to your URI library(system/libraries/URI.php) and find _filter_uri function. After that, put this code:

    global $IN;
return $IN->xss_clean(str_replace($bad, $good, $str));

    to the end of this function.

    That’s all. Now you can use all URI characters and be in safety!

  • #3 / Jan 15, 2010 4:58pm

    misplacedme

    25 posts

    Well thank you very much.

  • #4 / Jan 17, 2010 12:38am

    ydp2005

    2 posts

    why Call to a member function xss_clean() on a non-object?

  • #5 / Jan 17, 2010 12:58am

    ydp2005

    2 posts

     
    $IN =& load_class('Input');
return $IN->xss_clean(str_replace($bad, $good, $str));

  • #6 / Jan 17, 2010 3:38am

    Ben Edmunds

    812 posts

    Just to add a note to this discussion. 

    It is NOT a good idea to change the core system files.  You need to extend the library with a MY_Library if you wish to change the core behavior.  You do not want to break your site if you, or someone else, upgrades the CI core.

  • #7 / Jan 17, 2010 5:10am

    Jamie Rumbelow

    546 posts

    ...neither is it a good idea to allow every single character pass through in your URL. I could hack your website in so many different ways now I know that any character is passed through, and (hypothetically) could track your username across the web to find out what site it is and then hack it.

    Security’s important. Limit the character set to a certain few characters. Even if you are xss_clean()ing it it’s not impossible to bypass.

    Jamie

  • #8 / Apr 29, 2010 9:46am

    WanWizard

    4475 posts

    All very well for someone who’s scope is limited to English.

    I would like to have URL’s, p.e. for forum or blog posts, like http://mysite/forum/post/1234-this-is-the-title-of-a-forum-post.html. This particular example passes inspection, but that changes as soon as the post title is in hebrew, chinese, or any other non-latin set of characters.

    So how to deal with this issue, with keeping the potential security issues you refer to in mind?

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register