![]() |
After security library update, xss_clean() messes all editor contents. - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: After security library update, xss_clean() messes all editor contents. (/showthread.php?tid=40679) |
After security library update, xss_clean() messes all editor contents. - El Forum - 04-15-2011 [eluser]Twisted1919[/eluser] As the title say, the new update to the security class, adds a new method call in the xss_clean()( _remove_evil_attributes() ) which practically strips out any style tag that is appended to the HTML content. For example, i use CKEDITOR, and before this update, i could easily have something like this in the editor: Code: <div style="width:400px;float:left"> But now, the xss filter just removes the style tag so i end up with a lot of broken pages till i realized what is happening and who's fault is(i suspected ckeditor first time) In order to fix this, i had to use HTML Purifier instead of xss_clean() for the fields where i use a text editor. I don't really like using HTML Purifier because is a beast on memory usage, but i cannot alter the xss_clean() method because i know the style tag can be dangerous too, so it seems to me, that this is the only way of being able to preserve the HTML content of a page. Hope this info helps someone else ![]() |