ci_csrf_token se configuró en "onmouseover = prompt (XSS) bad ="

i used ci_csrf_token hidden field in my forms.but any form in my script get alert with Acunetix Web Vulnerability Scanner.

alert details :

Cookie input ci_csrf_token was set to " onmouseover=prompt(965267) bad=" The input is reflected inside a tag element between double quotes.

in view source:

<input type="hidden" name="ci_csrf_token" value="\\" onmouseover=prompt(965267) bad=\"" />

can anyone help me to solve it?

preguntado el 10 de marzo de 12 a las 13:03

1 Respuestas

You need to html attribute encode the token before you put it into the hidden field. Do you add it to the form on the client side or the server side? If you do it on the server side, you may want to do input validation to make sure the token is on the expected format.

respondido 11 mar '12, 07:03

Codeigniter adds the token automatically. - Wesley Murch

i cheked in form validation by: $this->form_validation->set_rules('ci_csrf_token','required|trim|xss_clean|escape'); but its not work and not solved... - Hamed Yarandi

we should find a solution for Preventing of change this token. - Hamed Yarandi

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.