{"id":726,"date":"2022-08-30T15:06:09","date_gmt":"2022-08-30T15:06:09","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2013\/11\/09\/codeigniter-disallowed-characters-error-collection-of-common-programming-errors\/"},"modified":"2022-08-30T15:06:09","modified_gmt":"2022-08-30T15:06:09","slug":"codeigniter-disallowed-characters-error-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2022\/08\/30\/codeigniter-disallowed-characters-error-collection-of-common-programming-errors\/","title":{"rendered":"codeigniter disallowed characters error-Collection of common programming errors"},"content":{"rendered":"<p>Yeah, if you want to allow non-ASCII bytes you would have to add them to <code>permitted_uri_chars<\/code>. This feature operates on URL-decoded strings (normally, unless there is something unusual about the environment), so you have to put the verbatim bytes you want in the string and not merely <code>%<\/code> and the hex digits. (Yes, I said bytes: <code>_filter_uri<\/code> doesn&#8217;t use Unicode regex, so you can&#8217;t use a Unicode range.)<\/p>\n<p>Trying to filter incoming values (instead of encoding outgoing ones) is a ludicrously basic error that it is depressing to find in a popular framework. You can turn this misguided feature off by setting <code>permitted_uri_chars<\/code> to an empty string, or maybe you would like a range of all bytes except for control codes (<code>\"\\x20-\\xFF\"<\/code>). Unfortunately the <code>_filter_uri<\/code> function still does crazy, crazy, broken things with some input, HTML-encoding some punctuation on the way in for some unknown bizarre reason. And you don&#8217;t get to turn this off.<\/p>\n<p>This, along with the broken \u201canti-XSS\u201d mangler, makes me believe the CodeIgniter team have quite a poor understanding of how string escaping and security issues actually work. I would not trust anything they say on security ever.<\/p>\n<p id=\"rop\"><small>Originally posted 2013-11-09 21:44:07. <\/small><\/p>","protected":false},"excerpt":{"rendered":"<p>Yeah, if you want to allow non-ASCII bytes you would have to add them to permitted_uri_chars. This feature operates on URL-decoded strings (normally, unless there is something unusual about the environment), so you have to put the verbatim bytes you want in the string and not merely % and the hex digits. (Yes, I said [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-726","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=726"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/726\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}