• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed  Cookie with URL encoding

Mike Creuzer

Well-known member
#1
Hello,

On my site, we use CodeIgniter, which is a common framework. It has a function that searches for all cookies on a given domain. This is the function:

PHP:
 /**
* Clean Keys
*
* This is a helper function. To prevent malicious users
* from trying to exploit keys we make sure that keys are
* only named with alpha-numeric text and a few other items.
*
* @access private
* @param string
* @return string
*/
function _clean_input_keys($str)
{
  if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
  {
  exit('Disallowed Key Characters.');
  }

  // Clean UTF-8 if supported
  if (UTF8_ENABLED === TRUE)
  {
  $str = $this->uni->clean_string($str);
  }

  return $str;
}
I noticed while styling themes, my main site would break and leave an error message (Disallowed Key Characters). We were able to figure out exactly what was going on and it was the following cookie causing the issue:

Code:
xf_FilterList_admin.php%3Ftemplates%2F
Its not a huge issue I suppose, but it is rather annoying.

Thanks a lot!
Mike Creuzer
Audentio.com
 

Mike

XenForo developer
Staff member
#2
It may be worth working around this, but I believe this is a bug in CodeIgniter. I'm just looking at RFCs to be clear.
 

Mike

XenForo developer
Staff member
#3
Well, it's not necessarily a bug in CI, more of a strange design decision (IMO). However, the RFCs do allow % in cookie names (which may be decoded to the raw character by the time CI sees it). That said, it's probably still ok to remove special chars.
 
#4
<?php
$title=urlencode('Title of Your iFrame Tab');
$url=urlencode('http://www.facebook.com/wordpressdesign');
$summary=urlencode('Custom message that summarizes what your tab is about, or just a simple message to tell people to check out your tab.');
$image=urlencode('http://www.yourdomain.com/images/share-thumbnail.jpg');
?>

<a onClick="window.open('http://www.facebook.com/sharer.php?s=100&amp;p[title]=<?php echo $title;?>&amp;p[summary]=<?php echo $summary;?>&amp;p=<?php echo $url; ?>&amp;&amp;p[images][0]=<?php echo $image;?>','sharer','toolbar=0,status=0,width=548,height=325');" href="javascript: void(0)">Insert text or an image here.</a>



Plz convent to xenforo code.


[/COLOR]
 

Slavik

XenForo moderator
Staff member
#5
<?php
$title=urlencode('Title of Your iFrame Tab');
$url=urlencode('http://www.facebook.com/wordpressdesign');
$summary=urlencode('Custom message that summarizes what your tab is about, or just a simple message to tell people to check out your tab.');
$image=urlencode('http://www.yourdomain.com/images/share-thumbnail.jpg');
?>

<a onClick="window.open('http://www.facebook.com/sharer.php?s=100&amp;p[title]=<?php echo $title;?>&amp;p[summary]=<?php echo $summary;?>&amp;p=<?php echo $url; ?>&amp;&amp;p[images][0]=<?php echo $image;?>','sharer','toolbar=0,status=0,width=548,height=325');" href="javascript: void(0)">Insert text or an image here.</a>


Plz convent to xenforo code.


[/COLOR]
Hi,
I see you haven't linked your forum account to your license. You can do that in the Forum Users section of the Customer Area here: http://xenforo.com/customers
Then we will be able to provide forum support.
Thanks.
//Slav