As part of the Input class of CodeIgniter, the $_POST array is sanitized and cleaned before your controller methods are executed. To clarify, I understand that:
$this->input->post('some_var');
has XSS filtering performed on it, but even if in your controller you do something with $_POST['some_var'], it is still potentially modified from the _sanitize_globals method in the Input class.
Here's one example. If you post "Body => test\r\n", you get the following:
// var_dump($_POST['Body']); // Should be 6 characters long string(5) "test " // var_dump(strpos($_POST['Body'], "\r")); bool (false)
By extending CI_Input, you can get the $_POST array before it is potentially modified, which you can then use to validate requests from Twilio.
completely_raw_post = $_POST;
parent::__construct();
}
}
/* End of file MY_Input.php */
/* Location: ./application/core/MY_Input.php */
Hooray!
P.S. Does anyone have any suggestions for formatting code on Blogger?
No comments:
Post a Comment