CodeIgniter 4, Stored XSS, CVE(N/A) (Critical)

Listen to this Post

The custom `html_purify` validation rule in `Modules\Backend\Validation\CustomRules.php` declares its first argument by reference (?string &$str). CodeIgniter 4’s validator (Validation.php:204-211) copies `$this->data` into a local `$value` before invoking the rule. The by-reference mutation modifies only that local copy; $this->data, $_POST, and `getValidated()` retain the raw, unsanitized payload. The `Blog` controller (Blog.php:94-125) writes `$lanData[‘content’]` directly into `blog_langs.content` with no extra filtering. The public template `blog/post.php:51` echoes `content ?>` without escaping. An attacker with `blogs.create` or `blogs.update` permission submits a malicious `

Scroll to Top