The CodeIgniter framework contains a function, xss_clean(), which is intended to filter out potential XSS attacks. The xss_clean() function would only strip attributes from HTML tags that were properly closed. However, browsers which see unclosed tags can choose to parse them as though they were properly formed. For example:
The lack of a > at the end meant that the onerror attribute wasn`t stripped by xss_clean(). However, browsers would parse this input as a valid img tag with src and onerror attributes.
- Upgrade to the latest version of CodeIgniter (this problem was fixed in version 2.1.4).
- WordPress Plugin Live Streaming/Broadcast Live Video Cross-Site Scripting (4.27.2)
- WordPress Plugin WordPress Download Manager Cross-Site Scripting (2.9.86)
- WordPress Plugin Limit Attempts by BestWebSoft Cross-Site Scripting (1.1.7)
- WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (5.6.1)
- WordPress Plugin Ninja Forms-The Easy and Powerful Forms Builder Multiple Cross-Site Scripting Vulnerabilities (2.8.8)