In the following lines:
var_dump($this->uri->segment(3));
$get = $this->security->xss_clean($this->uri->segment(3));
var_dump($get);
How could the first var_dump print
string(34) "debut=0&combien=30&s=1&telephone=4"
and the second (after the xss_clean)
string(29) "debut 0&combien=30&s=1&teleph"
I'm a bit confused here.
EDIT:
I've been debugging this, and it's the _remove_evil_attributes() function in security class that make the transformation for this and only this string
The line 641 in the security class:
$str = preg_replace('/(<?)(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count);
conciders "one\\=4" (as in telephone=4") to be an evil attribute. Ok, now it's bigger than me...
Well, this is normal nowdays since codeigniter is not supported any more (at least temporally) because they are seeking new owner for.
So, my recommendation is override the Security class at core/ directory.
Related
I am about to make more SEO-friendly URLs on my page and want a pattern looking like this for my products:
www.example.com/product-category/a-pretty-long-seo-friendly-product-name-12
So what are we looking at here?
www.example.com/{slug1}/{slug2}-{id}
The only thing I will care about from the URL in my controller is the {id}. The rest two slugs are just of SEO purpose. So to my question. How can I get the 12 from a-pretty-long-seo-friendly-product-name-12?
I have tried www.mydomain.com/{slug}/{slug}-{id} and in my controller to try and get $id. Id does not work. I am not able to able to separate it from from a-pretty-long-seo-friendly-product-name. So in my controller no matter how I do I get {slug2} and {id} concatenated.
Coming from rails it is a piece of cake there but can't seem to figure out how to do that here in laravel.
EDIT:
I am sorry I formulated my question very unclear. I am looking for a way to do this in the routes file. Like in rails.
You're on the right track, but you can't really logically separate /{slug}-{id} if you're using dash-separated strings. To handle this, you can simply explode the chunks and select the last one:
// routes/web.php
Route::get('/{primarySlug}/{secondarySlugAndId}', [ExampleController::class, 'example']);
// ExampleController.php
public function example($primarySlug, $secondarySlugAndId){
$parts = collect(explode('-', $secondarySlugAndId));
$id = $parts->last();
$secondarySlug = $parts->slice(0, -1)->implode('-');
... // Do anything else you need to do
}
Given the URL example.com/primary-slug/secondary-slug-99, you would have the following variables:
dd($primarySlug, $secondarySlug, $id);
// "primary-slug"
// "secondary-slug"
// "99"
The only case this wouldn't work for is if your id had a dash in it, but that's another layer of complexity that I hope you don't have to handle.
Route::get('/test/{slug1}/{slug2}','IndexController#index');
public function index($slug1, $slug2)
{
$id_slug = last(explode('-',$slug2));
$second_slug = str_replace('-'.$id_slug,'',$slug2);
dd($slug1, $second_slug,$id_slug);
}
I'm using this http://www.xpathtester.com/xpath/5a30592045b6aa5089faf909261ede0b XPath tester, which returns exactly what I want. For some reason it removes my full query, but if you use it, it works.
*/h3[contains(string(), "Description")]/following-sibling::p[1]
But in real life, I get nothing from my variable.
I'm trying to get the data after <h3>Description</h3>, in this case a paragraph <p>.
HTML
$feed_item=
<div class="outer-feed"><ul>
<li><strong>Severity:</strong> <span class="label label-info">Low</span></li>
</ul>
<h3>Description</h3>
<p>The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors.</p>
...
Here's my XPath
$description_node = $xpath->query('*/h3[contains(string(), "Description")]/following-sibling::p[1]', $feed_item);
$description = "description: " . $description_node->item(0)->textContent;
and var_dump
object(DOMNodeList)#1654 (1) { ["length"]=> int(0) }
And the error
Notice
: Trying to get property 'textContent' of non-object in
What confuses me is that I can get Severity from the same HTML by using this:
$severity_node = $xpath->query('*/li[contains(string(), "Severity:")]', $feed_item);
$severity = preg_replace('/Severity:\W*/u', '', $severity_node->item(0)->textContent);
My first thought was to scale back to just the H3 and output that.
$description_node = $xpath->query('*/h3[contains(string(), "Description")]', $feed_item);
object(DOMNodeList)#1654 (1) { ["length"]=> int(0) } // doesn't contain anything
Given that the following are identical but the first works and the second doesn't, what could be the problem?
$severity_node = $xpath->query('*/li[contains(string(), "Severity:")]', $feed_item);
$description_node = $xpath->query('*/h3[contains(string(), "Description")]', $feed_item);
Why is one working and not the other. And what is the best way to troubleshoot things like this. It seems to work on the xpathtester. What could I be doing wrong that causes this problem in PHP?
Try with this XPath:
//h3[text()="Description"]/following::p[1]
A query starting */h3[...] will only work if the context item when it is invoked is the grandparent of the h3 element. You've given no information about the context item, so I suspect it is something different.
You ask the question(s): "Why is one working and not the other. And what is the best way to troubleshoot things like this. It seems to work on the xpathtester. What could I be doing wrong that causes this problem in PHP?"
Well, the first thing is to understand that XPath expressions may depend on the context item, and that the same expression evaluated with different context items is going to give different results. Once you understand that concept, it hopefully becomes a lot clearer.
I have the same problem as the people below, but the solutions offered for them does not work for me.
CodeIgniter - disallowed key characters
CodeIgniter Disallowed Key Characters
Disallowed key characters error message in Codeigniter (v2)
I get "Disallowed Key Characters" when I submit a form.
I have CSRF protection enabled, and I am using arrays in my form field names (i.e., search[] as the name as there are multiple selection dropdown options). I have a feeling it is the "[]" in the form name that bothers this form.
I have followed all advice I could see in the posts above.
I disabled CSRF temporarily,
I disabled XSS temporarily,
I edited $config['permitted_uri_chars'] and
I edited Input.php where this message is generated.
Anybody has any additional ideas of what could cause this problem on form submission?
Thanks!
Like my answer here — you just need to update the regex in MY_Input->_clean_input_keys() to allow more characters (eg escaped JSON, or escaped HTML/XML)
Allow just 'English': !preg_match("/^[a-z0-9\:\;\.\,\?\!\#\#\$%\^\*\"\~\'+=\\\ &_\/\.\[\]-\}\{]+$/iu", $str)
Allow Chinese Characters: !preg_match("/^[a-z0-9\x{4e00}-\x{9fa5}\:\;\.\,\?\!\#\#\$%\^\*\"\~\'+=\\\ &_\/\.\[\]-\}\{]+$/iu", $str)
My full working function looks like this:
public function _clean_input_keys($str) {
// NOTE: \x{4e00}-\x{9fa5} = allow chinese characters
// NOTE: 'i' — case insensitive
// NOTE: 'u' — UTF-8 mode
if (!preg_match("/^[a-z0-9\x{4e00}-\x{9fa5}\:\;\.\,\?\!\#\#\$%\^\*\"\~\'+=\\\ &_\/\.\[\]-\}\{]+$/iu", $str)) {
/**
* Check for Development enviroment - Non-descriptive
* error so show me the string that caused the problem
*/
if (is_env_dev()) {
var_dump($str);
}
exit('Disallowed Key Characters.');
}
// Clean UTF-8 if supported
if (UTF8_ENABLED === TRUE) {
return $this->uni->clean_string($str);
}
return $str;
}
my_helper.php
if (!function_exists('is_env_dev')) {
function is_env_dev() {
return (
defined('ENVIRONMENT') && strtolower(ENVIRONMENT) == 'development' ||
defined('ENVIRONMENT') && strtolower(ENVIRONMENT) == 'testing'
);
}
}
Thanks, but I found a comment hidden way below (right at the bottom at the time of this writing) on another post here: CodeIgniter Disallowed Key Characters
The comment suggested that I add $str to the exit() comment to test. This indicated that I had a missing double quote in my form fields. It is a very complex form built up dynamically, with 300 lines of code, so easy to miss.
Hope this answer (and the comment that inspired it) helps someone else.
Validating the source of the output could prevent problems such as this one :-)
Regards
I just asked the support guys on GitHub why AspectJ (*.aj) files are not syntax-highlighted. The answer was that they are using Pygments, but are unaware of any existing lexer for AspectJ. I did a quick web search and did not find any either. Has anyone here written one or can point me to a link for an existing one?
Long ago I have written a lexer for Kconfig (Linux kernel configuration) files, but it was rather hard for me because I do not speak Python. So before I start torturing my brain again, I thought I should better ask first instead of possibly re-inventing the wheel.
After having created a "copy, paste & modify" solution of JavaLexer initially because I really do not speak Python, I managed to hack another quick'n'dirty solution which subclasses JavaLexer and delegates lexing to it for the most part. Exceptions are
AspectJ-specific keywords,
handling of inter-type declarations followed by colons without a space not as Java labels, but as AspectJ keywords plus ":" operator and
handling of inter-type annotation declarations as AspectJ keywords and not as Java name decorators.
I am sure my little heuristic solution misses some details, but as Andrew Eisenberg said: an imperfect, but working solution is better than a non-existent perfect one:
class AspectJLexer(JavaLexer):
"""
For `AspectJ <http://www.eclipse.org/aspectj/>`_ source code.
"""
name = 'AspectJ'
aliases = ['aspectj']
filenames = ['*.aj']
mimetypes = ['text/x-aspectj']
aj_keywords = [
'aspect', 'pointcut', 'privileged', 'call', 'execution',
'initialization', 'preinitialization', 'handler', 'get', 'set',
'staticinitialization', 'target', 'args', 'within', 'withincode',
'cflow', 'cflowbelow', 'annotation', 'before', 'after', 'around',
'proceed', 'throwing', 'returning', 'adviceexecution', 'declare',
'parents', 'warning', 'error', 'soft', 'precedence', 'thisJoinPoint',
'thisJoinPointStaticPart', 'thisEnclosingJoinPointStaticPart',
'issingleton', 'perthis', 'pertarget', 'percflow', 'percflowbelow',
'pertypewithin', 'lock', 'unlock', 'thisAspectInstance'
]
aj_inter_type = ['parents:', 'warning:', 'error:', 'soft:', 'precedence:']
aj_inter_type_annotation = ['#type', '#method', '#constructor', '#field']
def get_tokens_unprocessed(self, text):
for index, token, value in JavaLexer.get_tokens_unprocessed(self, text):
if token is Name and value in self.aj_keywords:
yield index, Keyword, value
elif token is Name.Label and value in self.aj_inter_type:
yield index, Keyword, value[:-1]
yield index, Operator, value[-1]
elif token is Name.Decorator and value in self.aj_inter_type_annotation:
yield index, Keyword, value
else:
yield index, token, value
Syntax highlighting for aspectj should be quite straight forward to implement if you start with a Java lexer. The lexer would be identical to Java's with some extra keywords.
See here for a list of the AspectJ-specific keywords:
http://git.eclipse.org/c/ajdt/org.eclipse.ajdt.git/tree/org.eclipse.ajdt.core/src/org/eclipse/ajdt/core/AspectJPlugin.java
And here for the Java keywords:
http://git.eclipse.org/c/ajdt/org.eclipse.ajdt.git/tree/org.eclipse.ajdt.ui/src/org/eclipse/ajdt/internal/ui/editor/AspectJCodeScanner.java
Please excuse me if this is an incredibly stupid question, as I'm new to CodeIgniter.
I have a controller for my verification system called Verify. I'd like to be able to use it something like site.com/verify/123/abcd, but I only want to use the index function, so both URL segments need to go to it.
I'm sure this can be done with URL routing somehow, but I can't figure out how to pass both URL segments into Verify's index function..
Something like this in routes.php should do the job:
$route['verify/(:any)/(:any)'] = "verify/index/$1/$2";
I'm pretty sure you can just pass any controller method in CodeIgniter multiple arguments without modifying routes or .htaccess unless I misunderstood the problem.
function index($arg_one, $arg_two)
{
}
$arg_one representing the 123 and $arg_two representing the abcd in your example URI.
You will either need to edit the routes or write an htaccess rule, however i didn't understand why you want to limit to just the index function.
If you didnt wanna use routes for some reason, then you could add this function to the controller in question.
public function _remap($method_in, $params = array()) {
$method = 'process_'.$method_in;
if (method_exists($this, $method)) {
return call_user_func_array(array($this, $method), $params);
}
array_unshift($params, $method_in);
$this->index($params);
}
Basically it does the same as default behavior in CI, except instead of sending a 404 on 'cant find method', it sends unfound method calls to the index.
You would need to alter your index function to take an array as the first argument.
OR if you know that you only ever want 2 arguments, you could change the last 2 lines to
$this->index($method_in, $params[0]);
Of course both solutions fail in someone uses an argument which is the same as a method in your controller.