A pitfall in codeigniter that uses csrf token

This is the case. An automated scanning tool says my code has an XSS vulnerability. If you don't know what the XSS is, you can check it here.

Enable the csrf token of the codeigniter framework in my code, as follows:

For more information, see the official CI documentation. The main usage is to automatically insert a hidden token value during form_open, of course, you can also use PHP echo security-> csrf_hash to work with other usages.

Next let's talk about my Code. The Code in controller is as follows:

View-Layer Code the page here is relatively simple:

The Code only generates a form with a token for communication between the page and the server.

After the code is introduced, let's look at the place where the automation tool thinks there is XSS.

Automated tools are judged by these two points. Therefore, we can view the form_open source code:

As you can see, when the form_open function action is empty, the form action takes the current URL by default.

If the current URL has "isn't it possible to truncate HTML and cause XSS?", let's construct it:

By default, it is intercepted by the CI framework. Because of invalid characters, this character is defined in config. php:

Sometimes text blocking occurs in the URL because of this configuration.

The general procedure is as follows:

Index. php

Codeigniter. php

Router. php

Uri. php

Uri. php

As shown in the preceding example, if the form_open parameter is null, security issues may occur. However, by default, CI intercepts these illegal characters, so it does not pose a threat. However, to ensure security, we should develop a good habit. form_open must have a non-null action parameter, even if this form is not used.