CodeIgniter Forums

Full Version: After security library update, xss_clean() messes all editor contents.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]Twisted1919[/eluser]
As the title say, the new update to the security class, adds a new method call in the xss_clean()( _remove_evil_attributes() ) which practically strips out any style tag that is appended to the HTML content.

For example, i use CKEDITOR, and before this update, i could easily have something like this in the editor:
Code:
<div style="width:400px;float:left">
CONTENT HERE
</div>

But now, the xss filter just removes the style tag so i end up with a lot of broken pages till i realized what is happening and who's fault is(i suspected ckeditor first time)

In order to fix this, i had to use HTML Purifier instead of xss_clean() for the fields where i use a text editor.

I don't really like using HTML Purifier because is a beast on memory usage, but i cannot alter the xss_clean() method because i know the style tag can be dangerous too, so it seems to me, that this is the only way of being able to preserve the HTML content of a page.

Hope this info helps someone else Smile