CodeIgniter Forums

Full Version: xss filtering Q: Fatal error: Call to undefined function get_instance() ...system/libraries/Input.php on line 855
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]chrisco23[/eluser]
Hi all,

This evening I upgraded CI on one of my sites from 1.5.0.1 to 1.5.4.

Everything went pretty smoothly for the most part but one thing concerns me that I'm still not clear on.

When I first upgraded, I tried to enter some form data using the fckeditor (that I'd been using all along), and I got:

Code:
Fatal error: Call to undefined function get_instance() ...system/libraries/Input.php on line 855

I looked at this code for a bit, saw that it had something to do with xss filtering, and realized that the new config file has that turned off by default.

Now I really know hardly anything about xss filtering, but I was under the impression that I was safer having this set to 'true', rather than (apparently the new(?) default) 'false'.

Can someone enlighten further as to why this code exists but defaults to 'false', and causes a fatal error for my fckeditor when set to 'true'? BTW, the fckeditor I'm using is pretty restrictive: only allowing a few tags: b, p, br, i, ... think that's it really.


Thanks!
Chris

El Forum

[eluser]Glen Swinfield[/eluser]
It is important to filter certain data for XSS, but this is not in itself a reason to check all data for XSS by default - it should be your choice as the developer to turn this on or not. Similar I suppose to the magic_quotes setting in php, it's usually always on by default, and that's annoying.

As for the error, I don't know. I use FCK editor for my CI CMS but I haven't upgraded yet.

If get_instance isn't defined, then no controller has been called yet which is strange. I haven't downloaded the new CI yet so can't really help you further, the Input lib has changed in the new version.

El Forum

[eluser]Patrick Johanneson[/eluser]
I'm getting the same problem. If I change $config['global_xss_filtering'] in application/config/config.php to FALSE, the problem is rectified. However, I'd kind of like to keep XSS filtering turned on. If anyone has any ideas, I'd sure love to hear them.

edit This all worked just fine under CI 1.5.3; I upgraded to 1.5.4 and this problem cropped up.

El Forum

[eluser]Patrick Johanneson[/eluser]
Edit Oops, xss_clean works fine when I pass it the strings one by one, instead of an array all at once.

However, if I enter <javascript>* in the text box, I get this error when I've got $config['global_xss_filtering'] set to TRUE:


Quote:Fatal error: Call to undefined function get_instance() in /Path/to/CI/system/libraries/Input.php on line 855


* Or, in fact, <[anything]>. <y> will do it, in fact. However, < on its own, or < >, will not.
___________________________

Hi,

When I upgraded from 1.5.3 to 1.5.4, I ran into a problem with the xss_clean stuff.

If I run the following code sample:

Code:
<?php

class Testing extends Controller{
function index(){
}

function foo(){
  if(!$_POST){
   echo("
   <form action="/MBAir/testing/foo" method="POST">
   Text: &lt;textarea name="Text"&gt;Text goes here&lt;/textarea&gt;<br>
   &lt;input type="submit"&gt;
   &lt;/form&gt;
   ");
   exit;
  }
  
$this->load->helper('security');
  $this->_dump($_POST);
  $post = xss_clean($_POST);
  $this->_dump($post);
}

function _dump($x){
  echo("<pre>n");
  print_r($x);
  echo("</pre>n");
}

}

?&gt;

I get the following errors:
Quote:A PHP Error was encountered
Severity: Warning
Message: stripos() expects parameter 1 to be string, array given
Filename: libraries/Input.php
Line Number: 690

A PHP Error was encountered
Severity: Warning
Message: stripos() expects parameter 1 to be string, array given
Filename: libraries/Input.php
Line Number: 696

A PHP Error was encountered
Severity: Warning
Message: stripos() expects parameter 1 to be string, array given
Filename: libraries/Input.php
Line Number: 702

I discovered this because one of my scripts has a set of three FCKEditor boxes in it. If I set $config['global_xss_filtering'] to TRUE in the config.php file, and then submit text in any or all of the FCKEditor boxes, I get the following error:
Quote:Fatal error: Call to undefined function get_instance() in /Path/to/CI/system/libraries/Input.php on line 855

Edit This happens with a clean install of CI 1.5.4 as well.

Any suggestions?

El Forum

[eluser]Derek Jones[/eluser]
See this bug report for the solution, or update your Input.php file from the svn.