CodeIgniter Forums
About 2.1.0 CI_Security class - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: About 2.1.0 CI_Security class (/showthread.php?tid=50587)

About 2.1.0 CI_Security class - El Forum - 03-31-2012

[eluser]paperen[/eluser]
CI version 2.1.0

Code:
$str = '<p style="margin-top:0.4em;margin-bottom:0.5em;line-height:19px;font-family:sans-serif;font-size:13px;white-space:normal;background-color:#FFFFFF;">Broken p</p>';
// <p  p</p>
echo $this->security->xss_clean( $str );
exit;


I think there's something wrong with this regex in _remove_evil_attributes function

Code:
$str = preg_replace("/<(/?[^><]+?)([^A-Za-z-])(".implode('|', $attribs).")([s><])([><]*)/i", '<$1$2$4$5', $str, -1, $count);

But i can't fix it :-D


About 2.1.0 CI_Security class - El Forum - 03-31-2012

[eluser]skunkbad[/eluser]
What happens when you do this:

Code:
var_dump( $this->security->xss_clean( $str ) );


About 2.1.0 CI_Security class - El Forum - 03-31-2012

[eluser]Dan Storm[/eluser]
What output did you expect?
$this->security->xss_clean() is meant for securing your input against XSS?

About 2.1.0 CI_Security class - El Forum - 03-31-2012

[eluser]paperen[/eluser]
[quote author="Dan Storm" date="1333221782"]What output did you expect?
$this->security->xss_clean() is meant for securing your input against XSS?[/quote]

I know it meant for securing input against XSS

I set the $config['global_xss_filtering'] = TRUE ,and i post some text edited by CKeditor,i found the struct had been broken

I expect:
Code:
<p>Broken p</p>

not
Code:
<p  p</p>

The HTML had broken

About 2.1.0 CI_Security class - El Forum - 03-31-2012

[eluser]paperen[/eluser]
[quote author="skunkbad" date="1333212331"]What happens when you do this:

Code:
var_dump( $this->security->xss_clean( $str ) );
[/quote]

I want to emphasize is the result(html structure was destroyed)

About 2.1.0 CI_Security class - El Forum - 04-01-2012

[eluser]Dan Storm[/eluser]
The xss_clean method is not for validating HTML input and is not intended for general use (this has also been stated in the documentation).
This doesn't seem to be a bug, as the xss_clean method seems to correctly treat the input as a possible threat.

About 2.1.0 CI_Security class - El Forum - 08-02-2012

[eluser]paperen[/eluser]
this problem fixed in 2.1.2