Lukasz Pilorz has reported a vulnerability and a weakness in CodeIgniter, which can be exploited by malicious people to disclose sensitive information and conduct cross-site scripting and header injection attacks.

There are two problems that lead to this issue - a non-sanitized input parameter and unsanitized data being passed to the xss_clean function. These issues affect CodeIgniter version 1.5.3 and, as of the time of this post, no update has been made in an official release. It is mentioned, however, that the problem has been fixed in the CVS and is waiting for a release.

Needing to pick out some bits from a smallish (40 lines) XML document studded with namespaces, I first turned to DomXPath. Worked great, code's concise, XPath expression is simple. But I had the nagging thought that using DOM traversal functions should be faster.

The results from his test? The DOM traversal is about four times faster than using XPath to achieve the same thing.

That 4x speed multiple translates into about a half second to execute for the XPath code and about 0.13 seconds to execute for the DOM code when each is run 10,000 times. Since a typical use of this code will involve it running maybe 10 or 20 times during a request, I'm happy to sacrifice a few microseconds of processor time in exchange for simpler code. ]]> Thu, 23 Feb 2006 06:43:03 -0600