+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR (/showthread.php?tid=40494)
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 04-10-2011
[eluser]Unknown[/eluser]
Found this very weird bug today after updating to 2.0.2. If i tried to insert an image into ckeditor and set it's dimensions via the editor form, the generated inline style would not save to the database after POST.
I do not have any other type of POST filtering other than this option enabled in config.php. After I've set it to FALSE, it saved ok.
Bug or not? Where should I report it?
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 04-10-2011
[eluser]InsiteFX[/eluser]
Sounds like the CSRF Protection.
InsiteFX
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 04-12-2011
[eluser]Unknown[/eluser]
I'm having problems with global_xss_filtering too.
Before 2.0.2 it worked fine but now it seems to be stripping simple HTML tags (styles, etc.)
Worked before update, doesn't work after - sure seems like a bug to me.
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 05-09-2011
[eluser]predat0r[/eluser]
Same here. Switching off XSS_filter all tags (style) go through well. I think it's not a problem with my current project because I use Tinymce behind admin area..
And, in 1.7.x were all good.
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 05-12-2011
[eluser]xarazar[/eluser]
Confirmed. XSS_filtering is the culprit here. I've built 7 websites with Tinymce since CI 2.0 release and everything worked well. But the latest project was given CI 2.0.2 and when concocted with Tinymce it filters out image alignment.
I'm not sure I feel comfortable with XSS filtering disabled. Perhaps we could add an exception somewhere? Interestingly properties like "width" are not filtered out. It seems that "style" definition gets removed.
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 05-12-2011
[eluser]predat0r[/eluser]
[quote author="xarazar" date="1305208176"]Confirmed. XSS_filtering is the culprit here. I've built 7 websites with Tinymce since CI 2.0 release and everything worked well. But the latest project was given CI 2.0.2 and when concocted with Tinymce it filters out image alignment.
I'm not sure I feel comfortable with XSS filtering disabled. Perhaps we could add an exception somewhere? Interestingly properties like "width" are not filtered out. It seems that "style" definition gets removed.[/quote]
Yes only style property filtered out. I set FALSE the global xss filtering, I use it manually, and with variables filled from tinymce textarea I use htmlentities and html_entitiy_decode, dunno it's reasonable protection or not..
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 05-19-2011
[eluser]Ellli[/eluser]
yep, same here with CodeIgniter 2.0.2. After turning off global_xss filtering everything works like a charm.
But i still want to use it so i made quick workaround.
In file system/core/security i modified function _remove_evil_attributes (around line 579).
Code:
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$allowed = array(your allowed url's without domain like '/admin/edittext/');
if(in_array($_SERVER['REQUEST_URI'],$allowed)){
$evil_attributes = array('on\w*', 'xmlns');
}else{
$evil_attributes = array('on\w*', 'style', 'xmlns');
}GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 05-31-2011
[eluser]mestresan[/eluser]
Very strange ....
cannot send html content from POST form... I use ckeditor, and after post, every html tag is cleaning. This in localhost (CI 2.0.2, php 5.3)
BUT... in my host, work fine................... (CI 2.0.2, php 5.2)
Both use same config.
I try remove ckeditor... but same result.
I did var_dump($_POST), and the content is clean too..
What the problem !?!?
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 06-10-2011
[eluser]Nikita[/eluser]
I've got the same problem, any fix for this?
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR - El Forum - 06-17-2011
[eluser]mikedfunk[/eluser]
I just removed the element 'style' from that array in the core and it worked again. Why is that even there? What malicious code can someone put in a style tag?