Hi guys, I just found a problem when accessing a label that I created myself with special characters like "+", namely on the "notepad++" label.
https://bundet.com/pub/label/c++Suddenly an error like the following appears:
So what I did was as usual, ask Google, and again the solution was available on stackoverflow which essentially was to add configuration to the codeigniter config.php file.
application/config/config.phpThe suggestion on stackoverflow doesn't include the "+" sign, but since my problem was caused by the "+" sign, so I just added the special character, so it looks like this:
/*
|--------------------------------------------------------------------------
| Allowed URL Characters
|--------------------------------------------------------------------------
|
| This lets you specify which characters are permitted within your URLs.
| When someone tries to submit a URL with disallowed characters they will
| get a warning message.
|
| As a security measure you are STRONGLY encouraged to restrict URLs to
| as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
|
| Leave blank to allow all characters -- but only if you are insane.
|
| The configured value is actually a regular expression character group
| and it will be executed as: ! preg_match('/^[]+$/i
|
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-+';Great, done!
Questions that have been asked by visitors:
"Sorry, is the site still safe if it is made false? I also experienced this on my office website."
And here is our response:
CodeIgniter documentation explains that CSRF is used to filter input fields on forms, by activating CSRF (making it TURE), then the default CSRF regular expression rules will apply, meaning that only the specified character types are allowed, as below.
$config['csrf_exclude_uris'] = array( 'api/record/[0-9]+', 'api/title/[a-z]+' ); Actually, this method can also be done on the client side (front end), using the pattern attribute. It's just easy for a hacker to manipulate this. Therefore, it is necessary to anticipate more to overcome this kind of thing, so CI provides the config to overcome it here on the backend, layered security like this is highly recommended.
Now, back to the case at hand. For example, in this case, the user who can input javascript syntax is the admin (to create a post) which means that to be able to get the feature, you have to go through the user level rule, here I have handled it enough. So no one can input javascript except me.
Second, on the client side, I have used markdown to filter all forms of input from client comments. In markdown, there is no opportunity to input JavaScript syntax, because everything will be converted into markdown syntax.
So I made it FALSE, because for personal reasons, if you are dealing with client applications, it is a good idea to follow the security recommendations from CI.
That is all and thank you.