CodeIgniter Forums
XSS replaces in the documentation - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forumdisplay.php?fid=6)
+--- Forum: Issues (https://forum.codeigniter.com/forumdisplay.php?fid=19)
+--- Thread: XSS replaces in the documentation (/showthread.php?tid=69962)

Pages: 1 2


XSS replaces in the documentation - Elias - 02-02-2018

Hello!

I see that in the documentation (for example https://www.codeigniter.com/user_guide/helpers/url_helper.html ) some http:// are replaced to http & # 5 8 ; // (without spaces)

Is it normal? Thanks)


RE: XSS replaces in the documentation - Elias - 02-10-2018

And as it seems to me, I found a bug in xss_clean() function/method:
xss_clean() translates

Code:
<video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls><source src="/mov_bbb.ogg"></video>

to

Code:
&lt;video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls&gt;<source src="/mov_bbb.ogg">&lt;/video&gt;

Also works for <audio> tag.


RE: XSS replaces in the documentation - wishmaster - 02-10-2018

Do not use xss_clean() at all.


RE: XSS replaces in the documentation - falko - 02-10-2018

(02-10-2018, 02:25 PM)wishmaster Wrote: Do not use xss_clean() at all.

Why?


RE: XSS replaces in the documentation - PaulD - 02-11-2018

Of course you can use xss_clean. The $config['global_xss_filtering'] config setting to clean all input has been deprecated because you should clean output not input.

I think some people think it is a heavy function that can cause a slow down if it is used inappropriately or on every possible output. But user input does need to be cleaned on output.

Paul.


RE: XSS replaces in the documentation - Elias - 02-11-2018

I want to filter a part of output HTML code thats contains user data (link to a video file).
I do not filter all output through xss_clean, just <video> tag.

I do this because filtering only link not cleans some bad strings...


RE: XSS replaces in the documentation - wishmaster - 02-11-2018

Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier


RE: XSS replaces in the documentation - PaulD - 02-11-2018

It is always awkward with user links like that. I would get the user to input the video code and the poster file separately, and build the video html around those two bits of data in the view.
But if you want users to post html directly copied from say YouTube, you may have to have a moderation queue where the link can be checked first. XSS clean will take all the html coding away and replace with html entities like you have seen.

Not entirely sure what the best way forward is on an example like that. If only admins are using it I think you would be safe enough (trusted users) but I would not let any user post HTML video links like that without moderating in some way. You never know what might be being posted.

Paul.


RE: XSS replaces in the documentation - Narf - 02-12-2018

(02-02-2018, 11:57 AM)Elias Wrote: Hello!

I see that in the documentation (for example https://www.codeigniter.com/user_guide/helpers/url_helper.html ) some http:// are replaced to http & # 5 8 ; // (without spaces)

Is it normal? Thanks)

That's not an "XSS replace" ... The manual doesn't concern itself with XSS, because it doesn't need to.

We use Sphinx to generate the manual from sources; recently updated it, and apparently the older version used to render HTML entities, so they were written like that in our sources, to avoid the string 'http://' being auto-converted to an anchor tag.

Fixed the ones I've found: https://github.com/bcit-ci/CodeIgniter/commit/84760562d5bb875af0a33b0d0f636dc3081db7c0

(02-10-2018, 12:46 PM)Elias Wrote: And as it seems to me, I found a bug in xss_clean() function/method:
xss_clean() translates

Code:
<video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls><source src="/mov_bbb.ogg"></video>

to

Code:
&lt;video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls&gt;<source src="/mov_bbb.ogg">&lt;/video&gt;

Also works for <audio> tag.

Not a bug.

(02-11-2018, 10:46 AM)wishmaster Wrote: Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier

That regexp argument is a red herring.

It's true that regular expressions probably aren't the best tool for the job, but that's not at all what the flaw in xss_clean() is. The problem is that it is blind to context.


RE: XSS replaces in the documentation - Elias - 02-12-2018

(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.

Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?

Thanks for answers Smile