Overriding global XSS filtering

Overriding global XSS filtering - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Overriding global XSS filtering (/showthread.php?tid=42610)

Overriding global XSS filtering - El Forum - 06-13-2011

[eluser]besson3c[/eluser]
Hello,

I just realized that the global XSS filtering setting can mess up password inputs if the password includes certain characters. Is there a way to override this setting for particular form elements? If not, would it be possible to toggle this setting off temporarily while assigning this form input to a variable?

I could play around with this for myself, but I'm not sure what sorts of input will result in modification post-sanitization/filtering. Can anyone please provide me with an example?

Overriding global XSS filtering - El Forum - 06-13-2011

[eluser]Twisted1919[/eluser]
Basically, what you need to do, is that at the beginning of the request, right before the global cleaning is taking place, make a copy of the $_POST array and use that copy when you want to get the original, uncleaned variables.
Extending the security class might be the perfect way of doing this, something like:

Code:
class MY_Security extends CI_Security{

  public $original_post_array;

  public function __construct()

  {

     if($this->original_post_array===null&&!empty($_POST))

        $this->original_post_array=$_POST;

     parent::__construct();

  }

}

Then in your code, you can check like:

Code:
if(isset($this->security->original_post_array['password']))

{

   // do something here with the original value.

}

Please note, if you use CKEDITOR, or any other editor, the xss_clean() method will strip many of the elements attributes, exp:

Code:
<div style="font-weight:bold">BOLD FONT ? </div>

//becomes:

<div>BOLD FONT ? </div>

So having a variable that holds the original $_POST array is a good idea in your case, maybe instead of cleaning the content of an editor with xss_clean() you might wanna do it with html purifier.

Overriding global XSS filtering - El Forum - 06-13-2011

[eluser]bubbafoley[/eluser]
you can turn xss filtering on/off when retrieving data.

Code:
$config['global_xss_filtering'] = TRUE;

Code:
$username = $this->input->post('username'); // filtered

$password = $this->input->post('password', FALSE); // unfiltered

== OR ==

Code:
$config['global_xss_filtering'] = FALSE;

Code:
$username = $this->input->post('username', TRUE); // filtered

$password = $this->input->post('password'); // unfiltered

Overriding global XSS filtering - El Forum - 09-27-2013

[eluser]Matty[/eluser]
[quote author="Twisted1919" date="1307974817"]Basically, what you need to do, is that at the beginning of the request, right before the global cleaning is taking place, make a copy of the $_POST array and use that copy when you want to get the original, uncleaned variables.
Extending the security class might be the perfect way of doing this, something like:

Code:
class MY_Security extends CI_Security{

  public $original_post_array;

  public function __construct()

  {

     if($this->original_post_array===null&&!empty($_POST))

        $this->original_post_array=$_POST;

     parent::__construct();

  }

}

Then in your code, you can check like:

Code:
if(isset($this->security->original_post_array['password']))

{

   // do something here with the original value.

}

Please note, if you use CKEDITOR, or any other editor, the xss_clean() method will strip many of the elements attributes, exp:

Code:
<div >BOLD FONT ? </div>

//becomes:

<div>BOLD FONT ? </div>

So having a variable that holds the original $_POST array is a good idea in your case, maybe instead of cleaning the content of an editor with xss_clean() you might wanna do it with html purifier.[/quote]

Brilliant, this is just what I was looking for and it works perfectly.