• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS replaces in the documentation

#1
Hello!

I see that in the documentation (for example https://www.codeigniter.com/user_guide/h...elper.html ) some http:// are replaced to http & # 5 8 ; // (without spaces)

Is it normal? Thanks)
Reply

#2
And as it seems to me, I found a bug in xss_clean() function/method:
xss_clean() translates

Code:
<video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls><source src="/mov_bbb.ogg"></video>

to

Code:
&lt;video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls&gt;<source src="/mov_bbb.ogg">&lt;/video&gt;

Also works for <audio> tag.
Reply

#3
Do not use xss_clean() at all.
Reply

#4
(02-10-2018, 02:25 PM)wishmaster Wrote: Do not use xss_clean() at all.

Why?
Reply

#5
Of course you can use xss_clean. The $config['global_xss_filtering'] config setting to clean all input has been deprecated because you should clean output not input.

I think some people think it is a heavy function that can cause a slow down if it is used inappropriately or on every possible output. But user input does need to be cleaned on output.

Paul.
Reply

#6
I want to filter a part of output HTML code thats contains user data (link to a video file).
I do not filter all output through xss_clean, just <video> tag.

I do this because filtering only link not cleans some bad strings...
Reply

#7
Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier
Reply

#8
It is always awkward with user links like that. I would get the user to input the video code and the poster file separately, and build the video html around those two bits of data in the view.
But if you want users to post html directly copied from say YouTube, you may have to have a moderation queue where the link can be checked first. XSS clean will take all the html coding away and replace with html entities like you have seen.

Not entirely sure what the best way forward is on an example like that. If only admins are using it I think you would be safe enough (trusted users) but I would not let any user post HTML video links like that without moderating in some way. You never know what might be being posted.

Paul.
Reply

#9
(02-02-2018, 11:57 AM)Elias Wrote: Hello!

I see that in the documentation (for example https://www.codeigniter.com/user_guide/h...elper.html ) some http:// are replaced to http & # 5 8 ; // (without spaces)

Is it normal? Thanks)

That's not an "XSS replace" ... The manual doesn't concern itself with XSS, because it doesn't need to.

We use Sphinx to generate the manual from sources; recently updated it, and apparently the older version used to render HTML entities, so they were written like that in our sources, to avoid the string 'http://' being auto-converted to an anchor tag.

Fixed the ones I've found: https://github.com/bcit-ci/CodeIgniter/c...c3081db7c0

(02-10-2018, 12:46 PM)Elias Wrote: And as it seems to me, I found a bug in xss_clean() function/method:
xss_clean() translates

Code:
<video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls><source src="/mov_bbb.ogg"></video>

to

Code:
&lt;video poster="http://vseprosto.top/wp-content/uploads/2016/10/CodeIgniter-Development.jpg" controls&gt;<source src="/mov_bbb.ogg">&lt;/video&gt;

Also works for <audio> tag.

Not a bug.

(02-11-2018, 10:46 AM)wishmaster Wrote: Because regexp is bad idea for filtering. Use Zend escaper and/or HTMLpurifier

That regexp argument is a red herring.

It's true that regular expressions probably aren't the best tool for the job, but that's not at all what the flaw in xss_clean() is. The problem is that it is blind to context.
Reply

#10
(02-12-2018, 06:24 AM)Narf Wrote: Not a bug.

Why? Tags like <b> or <a> not replaces... What's a normal input string for xss_clean() ?

Thanks for answers Smile
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.