I'm using the CodeIgniter PHP framework. I use JS to dynamically load a PHP page:

$('someIFrame').writeAttribute(
   'src',
   '/index.php/controller/method/' +
   escape(userGeneratedString)
);

When I ran this, CodeIgniter gave me this error:

http://192.168.0.81/index.php/controller/method/dude%27s%20face
An Error Was Encountered
The URI you submitted has disallowed characters.

This is totally untrue because the URL in question did not contain any disallowed characters. My config file allows all the characters present in that URL:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()@\-';

So I got frustrated and just allowed all characters to prevent the error.

// Leave blank to allow all characters -- but only if you are insane.
// DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
//$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()@\-';
$config['permitted_uri_chars'] = '';

The warning message above this line sounds scary. What can possibly go wrong by allowing all characters? Will I get hacked?

Comments

Note that, the lower your accept rate, the least likely you are to get an answer since you don't care about giving feedback.

Written by thisMayhem

@thisMayham Since it implies that you don't care about giving feedback. Not the same, yes? ;) @JoJo You can accept answers by clicking on the green check outline beside answers - this means that that particular answer has helped solve your problem. This gives a small reward to both the answerer and asker for their effort, and marks the question as solved.

Written by Yi Jiang

Accepted Answer

The urls in codeigniter are urldecoded, so %27 translates to ' which wasn't on your allowed character list and therefore triggered the error. So you need to allow the characters once decoded. In other words, by the time codeigniter sees you %27, it's already decoded into a '.

Source

Written by thisMayhem
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki