Codeigniter is "catching" url charcters even though they've been urlencoded - codeigniter

I'm having the strangest issue with codeigniter. I have a site that has a search feature which displays the person's query in the url so that they can save the url. I make sure that the query text has gone through rawurlencode before I stick it in the url. However, Codeigniter still shoots me to an error page when there's a character in the query that isn't in my permitted_uri_characters configuration.
So even though my browser says /search-results/query/%22samplequery%22, I’m still getting the error about using non-permitted characters.
Is this a bug? I don’t have non-permitted characters in my url. I have a % sign and some numbers (which are all specifically permitted). It’s definitely the permitted_uri_characters setting that’s giving me grief. If I add a quotation mark to it, it allows the %22 query through no problem.
And to be clear, the query is coming from a form as post data, then being encoded in my controller and then redirected to a new page. There’s no way that the permitted_uri_characters is somehow being applied BEFORE it gets encoded.
This is driving me batty, as my only solution at the moment is to open up my permitted_uri_charcters to everything under the sun, which isn't very secure!

Seems like you'd need to add # to the permitted_uri_chars, even if you urlencode the email before sending it to site_url(). Might urldecode it before watching up the characters ...
Percent Symbol in CodeIgniter URI
Here is a post more specific to your problem.
http://sholsinger.com/archive/2009/04/passing-email-addresses-in-urls-with-codeigniter/
I tried with the permitted_uri_chars, and finally ended up passing the email as a query string (?email=bla#bla.com), not even urlencoding it. Works great :)

Could it be URL encoding the %20 to a " before codeigniter verify' it? How about adding that to the permitted char's list.

I have my own solution for this, it's messy and not optimal, but it works. You can create a table where you store (search_string , url_title).
Every time you perform a search, save the string, generate an url_title() and save it to the database. This way, you can redirect your user to a safe url, without missing the initial search.
I know somebody is gonna yell at me for this solution. But, if your site is small, and your traffic keeps low, it's a valid solution.

Related

What is the behavior of an image URL which contains 2 occurrences of protocol://?

I find on the odysee.com video site that the URLs for thumbnail images contain 2 occurrences of https://, eg:
https://image-processor.vanwanet.com/optimize/s:390:220/quality:85/plain/https://thumbnails.lbry.com/cW11rfzDIDA
Is the second https: treated as the name of a directory, and the following // simply collapse into a single / (as they normally would?)
Or does the server interpret this as something different?
I am examining these URLs because I find that in Firefox, the images do not cache, while in Chrome they do. This happens even when I create my own minimal test page with several images using the same odysee.com thumbnail image URLs, bringing me to the conclusion that the issue is not related to the odysee.com page in any way.
(Another thing I observe is that these images load extremely slow, sometimes failing to load, sometimes not. But that may just be a shortcoming of the hosting website. This is true on either browser.)
Only the first protocol is used as a protocol and the other is just part of the URL. The image-processor.vanwanet.com server will receive a request that looks something like this:
GET /optimize/s:390:220/quality:85/plain/https://thumbnails.lbry.com/cW11rfzDIDA HTTP/1.1
And it can choose to do whatever it wants with that information. In this case it's probably using everything after the "plain/" as a URL and using that for something. A reason to do it like that instead of putting the thumbnails.lbry.com URL in a query parameter is that a query parameter needs percent encoding but a URL in a URL doesn't. This makes the full thing shorter and maybe easier to process.

I can't manage categories and products on magento

I have problems about Magento.
I can't manage products or category. this just happen I don't know why.
when I click on manage categories it's not working as you can see this image
https://www.dropbox.com/s/zbikd3pfd3b116c/mj1.jpg?dl=0
any solution to resolve?
Hmmmm. What locale are you using? (See drop-down in bottom-left of the screenshot). I wonder if this is a double-byte character issue. I think maybe some JSON has been sent to the page but it has become corrupted possibly due to a double-byte character or some illegal or unescaped character in the JSON string.
If this just happened and you don't know why then:
a) Try some different locales from the drop down. If that doesn't help then:
b) Ensure all caches are cleared and refresh the page. If there is no change then:
c) I suggest you go to your last back up and recreate your website from that.
As mentioned it looks like the HTML of the page is all mixed up due to a malformed JSON string.
You could look at the returned content from the ajax call (using browser tools to study the response). That might give you a clue as to which part of the JSON string is corrupted. Maybe some part of the category attributes contains HTML tags which it shouldn't or there is a double-byte character or unescaped quotes in the JSON string - but that is just a guess. You might have to change your database settings and/or character settings to handle UTF16 characters.
Do all categories behave like that or just some of them? If it is only some of them then you might try deleting those categories and recreating them from scratch.
For the record I have never seen anything like this before.
solution a and b not working, then I re-install and restore sql database by phpmyadmin everything almost complete like before only when I go to Manage Categories then it's error.
There has been an error processing your request
Exception printing is disabled by default for security reasons.
Error log record number: 682632812035

HTML Purifier Codeigniter

I found several posts stating that xss_clean is not sufficient for sanitizing user input. Many of them suggested to use htmlpurifier in codeigniter.
I don't know what htmlpurifier exactly does and how it does. How to implement html purifier.
Please guide.
xss_clean actually isn't half bad, just don't expect it to be a magic bullet in the sense of 'I use xss_clean, now my whole website is secure'.
You still have to validate input and escape output. Simply put: you have to maintain control over what people can enter in your website, and you shouldn't trust anything that is in your database, so you escape the data before you use it or show it. If you use xss_clean and form validation for sanitizing the input and you escape the output before doing anything with it or showing it, you should be just fine.
Good reads:
Codeigniter xss_clean dilemma
and
http://codeigniter.com/forums/viewthread/188698

mod_rewrite: how to strip url of query string yet retain it's values

I'd like to strip a URL of it's query string using mod_rewrite but retain the values of the querystring, for example, id like to change:
http://new.app/index.php?lorem=1&ipsum=2
to a nice clean:
http://new.app/
but retain the values of lorem and ipsum, so inside index.php:
$_GET["lorem"]
would still return 1 etc.
This is my first dabble with mod_rewrite so any help is greatly appreciated, and if you could explain exactly how your solution works, I can learn a little for next time too!
Thanks!
As Roland mentioned, you don't seem to understand the way rewriting works. It's typically done using Apache mod_rewrite in .htaccess, which silently rewrites the pretty URLs to the php script as /index.php?lorem=1&ipsum=2
Even Joomla uses .htaccess, except it has a single rewrite rule that passes EVERYTHING to a PHP script which does the actual rewriting in PHP.
What you are not understanding is that something still needs to exist in the "pretty" version for the php script to pull the value of $_GET["lorem"]
So it would be like http://new.app/lorem/ or http://new.app/section/lorem which would then (using mod_rewrite in .htaccess) rewrite TO the php script.
I don't understand exactly what you want. Your first URL is the external form, which the users see and can type into their browsers.
The second form has almost all information stripped, so when you send that to a server, how is the server supposed to know that lorem=1&ipsum=2?
If your question is really
How do I make the URLs in the browser look nice, even if the user is somewhere deep in the website clicking on URLs that carry lots of information?
then there are two solutions:
You can pass the information in small bits to the server and save them all in a session. I don't like that because then the user cannot take the URL, show it to a friend and have him see the same page.
You can have your entire web site in an HTML <frameset> containing only one <frame>. That way, the URL of the top-level window will not change, only the inner URL (which is not displayed by the browser) will.

URI encoding in Yahoo mail compose link

I have link generating web app. I'd like to make it easy for users to email the links they create to others using gmail, yahoo mail, etc. Yahoo mail has a particular quirk that I need a workaround for.
If you have a Yahoo mail account, please follow this link:
http://compose.mail.yahoo.com/?body=http%3A%2F%2Flocalhost%3A8000%2Fpath%23anchor
Notice that yahoo redirects to a specific mail server (e.g. http://us.mc431.mail.yahoo.com/mc/compose). As it does, it decodes the hex codes. One of them, %23, is a hash symbol which is not legal in a query string parameter value. All info after %23 is lost.
All my links are broken, and just using another character is not an option.
Calling us.mc431.yahoo.com directly works for me, but probably not for all users, depending on their location.
I've tried setting html=true|false, putting the URL in a html tag. Nothing works. Anyone got a reliable workaround for this particular quirk?
Note: any server-based workaround is a non-starter for me. This has to be a link that's just between Yahoo and the end-user.
Thanks
Here is how i do it:
run a window.escape on those chars: & ' " # > < \
run a encodeURIComponent on the full string
it works for most of my case. though newline (\n) is still an issue, but I replace \n with space in my case and it worked fine.
I have been dealing with the same problem the last couple of hours and I found a workaround!
If you double-encode the anchor it will be interpreted correctly by Yahoo. That means change %23 to %2523 (the percent-sign is %25 encoded).
So your URI will be:
http://compose.mail.yahoo.com/?body=http%3A%2F%2Flocalhost%3A8000%2Fpath%2523anchor
The same workaround can be used for ampersand. If you only encode that as %26, then Yahoo will convert that to "&" which will discard the rest of message. Same procedure as above - change %26 to %2526.
I still haven't found a solution to the newline-problem though (%0D and %0A).
For the newline, add the newline as < BR > and double encode it also, it is interpreted successfully as new line in the new message
I think you're at the mercy of what Yahoo's server does when it issues the HTTP redirect. It seems like it should preserve the URL escaping on the redirect, but isn't. However, without knowledge of their underlying application, it's hard to say why it wouldn't. Perhaps, it's just an unintended side effect (or bug), or perhaps some of the Javascript features on that page require them to do some finagling with the hash tag.

Resources