+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Codeigniter stripping script tags (/showthread.php?tid=39245)
Codeigniter stripping script tags - El Forum - 03-05-2011
[eluser]alexbet[/eluser]
Hi All,
I am going crazy here, I can't find a solution to this. I have a CMS and a field where I need to allow my client to put any kind of HMTL code in it. For example, he would put a Google Ads code which contains <scr%ipt> tags to run javascript code. My problem is that those script tags get removed by xss_clean each time I submit and add the data for that field in the database.
I've tried practically everything to disable this. I disabled xss_clean in the config file, I've disable xss_clean in my script, I ran htmlspecialchars on the input, but nothing helps. The script tags still get removed no matter if xss_clean is running or not. I am now suspecting that something else is the matter and something else is stripping the script tags.
Please HELP!!!
Thanks!
Alex
Codeigniter stripping script tags - El Forum - 03-05-2011
[eluser]Eric Barnes[/eluser]
Make sure you are using $this->input->post('field'); and not $this->input->post('field', TRUE); TRUE as a second argument runs it through xss_clean.
Codeigniter stripping script tags - El Forum - 03-06-2011
[eluser]alexbet[/eluser]
Thanks Eric, I guess I was tired and didn't notice that.
Now, how do I exclude only one field from being run though xss_clean? I don't want to jeopardize the security of my whole application because I need one field to not be cleaned. I know that I can turn it off globally and then enable it for each controller, but I don't think that is a very good solution.
Any other way of excluding only one field?
Codeigniter stripping script tags - El Forum - 03-17-2011
[eluser]Anuja[/eluser]
I am also facing the same problem.
Is there any solution for this?
Codeigniter stripping script tags - El Forum - 03-17-2011
[eluser]InsiteFX[/eluser]
Did you read the post? Eric answered the question!
InsiteFX
Codeigniter stripping script tags - El Forum - 03-18-2011
[eluser]Anuja[/eluser]
Hello InsiteFX,
I have read this post.
I want to provide the functionality to add / edit goggle analytic code form admin section.
But due to the xss clen some of the script tags gets removed and instead of them it gives '[removed]' word.
It will be work fine if we have disables the xss clean globally and $this->input->post(‘field’, FALSE);
But I don't want to disable xss_clean globally.
So I want answer for can we do it excluding only one field?
Currently I have done this task by replacing the '[removed]' word with original as in code.
But not sure that Google analytic code has same format for all. or it provides different each time.
Can you tell me for this also.
Thank You In Advance.
Codeigniter stripping script tags - El Forum - 03-18-2011
[eluser]BrokenLegGuy[/eluser]
What Eric Barnes and InsiteFX are saying is you need to do something like....
Code:
$fields = array(0=> 'field1', 'field2', 'field3', 'field4', 'field5');
foreach($fields AS $k => $v)
{
(($v == 'field2') OR ($v == 'field5')) ? $this->input->post($v) : $this->input->post($v, TRUE);
}or
Code:
$this->input->post('field1', TRUE);
$this->input->post('field2');
$this->input->post('field3', TRUE);
$this->input->post('field4', TRUE);
$this->input->post('field5');in order to do what you're looking for, XSS enabled on a per-field bases.
Ed
Codeigniter stripping script tags - El Forum - 03-21-2011
[eluser]Anuja[/eluser]
Thank You for your help,
But if enable the Xss clean globally then it doesn't matter in the post statement, it is always consider as true.
Means if disable it in the post still it works as enable or set as true.
What I want is xss clean has to be set true globally and for only one field it has to be disable.
Is it possible?
Codeigniter stripping script tags - El Forum - 03-22-2011
[eluser]Atharva[/eluser]
I am afraid that's not possible. You have to disable the global settings and use it wherever needed.
Codeigniter stripping script tags - El Forum - 03-22-2011
[eluser]Anuja[/eluser]
Okay.