![]() |
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR (/showthread.php?tid=40494) |
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 08-13-2011 [eluser]nikes[/eluser] I’ve obtained identical problem, any fix for this? GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 02-08-2012 [eluser]Unknown[/eluser] solution to this, let Code: $ config ['global_xss_filtering'] = FALSE; and inputs that need to be safe place like this: Code: $ password = $ this-> input-> post ('password', TRUE); / / Filtered GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 07-24-2012 [eluser]alanees[/eluser] Hello :-) i found solution in file system/core/secutriy.php at line 606 Code: $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); Code: $evil_attributes = array('on\w*', 'xmlns', 'formaction'); and at line 426 Code: $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; Code: $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|script|textarea|title|video|xml|xss'; Regads ![]() GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 09-22-2012 [eluser]Gilles_T[/eluser] Hi everyone, What are officials and Gurus of CI thinking of Alanees solution (not on the method but on the identification of the problem)? I currently making the big jump from 1.7.3 to 2.1.2 for my sites. Everything (as far as I can see) seemed to be OK until I found that all styles out-coming from the online editor were gone. I did not at all like to remove the XSS filtering because of scripting risks. To my knowledge the "Style" seems quite innocent from the real security stand point (although it might generate badly formatted pages). I would tend for this solution in spite of requiring a change in the core. If this solution turns out to be satisfactory, could there be a "change_xss_naughty" function to enable the choice in the config.com? Thank you for your precious advices, Cheers GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 08-20-2013 [eluser]C4iO [PyroDEV][/eluser] Found myself with this issue on a recent project and started a quest to find the solution. Although the accepted answer from this Stackoverflow post is old, it turned out as a good starting point towards understanding why CI staff could have chosen to include style in evil attributes list. I like to set global_xss_filtering to TRUE on my projects even if it's not a real hacker-proof measure. So, why am I still trying to use it? Simple, it appears to me that it makes more difficult to an attack be successfull. Ok! I have to admit, setting that option to TRUE, also brings difficulties to my life also. My point is that since I need to allow style attribute because I'm using an WYSIWYG editor (CKEditor, but tried with TinyMCE), it seems to be reasonable removing style from the evil attributes list, but I'll try to do that at applications/core folder and modify just _remove_evil_attributes method as follows: In a file called MY_Security located at applications/core, I'll put no more than the following code: Code: <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); Please note that I just removed style attribute from $evil_attributes variable and changed the comment accordingly. I know that's the best solution, but solves the issue until I find something better. |