Thread

I have a page giving me the “Disallowed Key Characters” error. The issue is caused by cookies generated by the “Intense Debate” commenting system when someone posts invalid characters in their comment.

There are tons of posts about this error message on the support forums but the most useful solution I could find was here:
http://ellislab.com/forums/viewthread/84889/#422163
which references this page:
http://expressionengine.com/wiki/Mobile_Site_-_Disallowed_Key_Characters/

So based off that 2nd link, what are the security implications of doing this:

Replace line 138

$_COOKIE[$this->clean_input_keys($key)] = $REGX->xss_clean($this->clean_input_data($val));


with

if (substr($key, 0, 4) == 'exp_') {
$_COOKIE[$this->clean_input_keys($key)] = $REGX->xss_clean($this->clean_input_data($val));
}

There are no server-side applications running other than expression engine, so I would think changing it to check EE-only cookies would be fine, as EE would only read the contents of cookies that begin with ‘exp_’—is my reasoning correct? I just want to be sure.

Hi kevinm81,

Well, if a cookie exists for your domain then it will be submitted to your site and may be used/accessed. For example, an addon you have installed may use and create non-prefixed cookies. You will have to decide what is proper and valid for your site but your approach will certainly work.

Cheers

Greg

thanks!

Just as a note, this is a security routine and we discourage hacking it.  I understand that you may need to for your integration; but I would do so very, very carefully and should be done only by an experienced developer.