This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
June 25, 2008 1:08pm
Subscribe [4]#1 / Jun 25, 2008 1:08pm
cc:all - http://www.carboncopyall.com
Just finished (for the most part) a mini side project for a friend. The idea is a place to share the stupid email you get from friends, coworkers and spammers. It’s a pretty simple site as it was my first CI project.
I had a great time developing it and I’m looking forward to future projects with CI. Let me know what you think and please if you have any stupid email SUBMIT IT!
Thanks,
Jon
#2 / Jun 25, 2008 1:53pm
dear minoflow,
your app is damned unsafe. i could easily XSS hack it up more vulnerable as already done with
http://www.carboncopyall.com/view/2-test
have fun to fix it ;=)
greetings,
christoph
#3 / Jun 25, 2008 1:57pm
gungbao: thanks for the notice. i’ll get on that right away!
#4 / Jun 25, 2008 2:55pm
Nice minimalistic design 😊
You should change your routing, atm I can type in http://www.carboncopyall.com/view/ and I am presented with a 404 error. Perhaps a nice redirect to the home page would be a better idea 😉
Good luck promoting it - it looks really cool!
Alex
#5 / Jun 26, 2008 12:25am
That’s really fun!
Have you got fixing the XSS issue? As an educational purpose, can you share with us what was the steps that permits you to protect your app?
#6 / Jun 26, 2008 2:32pm
some basics stuff:
htmlentities — Convert all applicable characters to HTML entities
General CI Security
Security Helper
Always html escape user given things. In Rails I do it with <%h, in PHP it should be done with htmlspecialchars() or htmlentities()
cheers,
chris
#7 / Jun 26, 2008 3:04pm
I don’t understand the need of using htmlentities with CI, this should be the role of the framework to escape - convert - whatever: Securise forms.
And CI does it well as far as I know without overusing again htmlentities (Of course, I insist that CI MUST be configured and used correctly). I think that the first parameter that should be always enable while there is user forms is the config XSS protection to TRUE. Then if you validate all forms with the validation class, and validate type of datas it should be secure enough and escaped as it have to be. Correct me if I am wrong.
#8 / Jun 26, 2008 4:41pm
I’ve now set XSS to True and tried to enter the same javascript alert code. It protects against it just fine.
I’ll check out those article, thanks for the references!
#9 / Jun 27, 2008 4:31pm
Too Pixel. No you are right, but its each coders flavour how much you hand out control&security;to your framework without thinking about it.
You will find many situations, where a general
if (preg_match_all("/<(.+?)>/si", $str, $matches))
{
for ($i = 0; $i < count($matches['0']); $i++)
{
$str = str_replace($matches['1'][$i],
$this->_html_entity_decode($matches['1'][$i], $charset),
$str);
}
}on all your requests post, cookie, get ... is simply too restrictive (think about admin panels).
#10 / Jun 27, 2008 7:19pm
I’ve made already about 12 admin pannels based on CI without any problem (yet) setting XSS globally to true. Which could be the situation that this would be too restrictive?
#11 / Jul 10, 2008 8:51am
you do not want to control plain html from your admin panels???
#12 / Jul 14, 2008 4:22am
really nice-looking site and cool. but you’re gonig to run into a lot of privacy problems/complaints. i hope thte phone number that was posted there for snorting coke was ‘obfuscated!’