CodeIgniter Forums
After security library update, xss_clean() messes all editor contents. - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: After security library update, xss_clean() messes all editor contents. (/thread-40679.html)



After security library update, xss_clean() messes all editor contents. - El Forum - 04-15-2011

[eluser]Twisted1919[/eluser]
As the title say, the new update to the security class, adds a new method call in the xss_clean()( _remove_evil_attributes() ) which practically strips out any style tag that is appended to the HTML content.

For example, i use CKEDITOR, and before this update, i could easily have something like this in the editor:
Code:
<div style="width:400px;float:left">
CONTENT HERE
</div>

But now, the xss filter just removes the style tag so i end up with a lot of broken pages till i realized what is happening and who's fault is(i suspected ckeditor first time)

In order to fix this, i had to use HTML Purifier instead of xss_clean() for the fields where i use a text editor.

I don't really like using HTML Purifier because is a beast on memory usage, but i cannot alter the xss_clean() method because i know the style tag can be dangerous too, so it seems to me, that this is the only way of being able to preserve the HTML content of a page.

Hope this info helps someone else Smile