HTML code in a textarea - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: HTML code in a textarea (/showthread.php?tid=57049) |
HTML code in a textarea - El Forum - 02-11-2013 [eluser]Salvador P.[/eluser] Hello I've been trying to deal with this problem for a while, but I can't! hehehe I've got a form with a textarea, this text area must contain html code, like Code: <div text-align: right;"> At this point there is no problem, just a form with a text-area, where the user puts that code, ( the user knows what he or she is typing, won't type something incorrect ) When the form is submitted I get this values (using var_dump($this->input->post()); ) at the beginning of the function which gets the form data: Code: <div text-align: right;"> All the style=" tags/words are gone!! I don't know why this is happening, something is escaping that words/tags but are required because we are using that html input in other views so we need to get that html raw input. I have tried several things: - XSS filtering disabled and enabled and same results. - Tried to modify system/core/input post function and showed the data before it processes it and showed the same results, style=" tags gone. - Different browsers - Other things I don't remember... Somebody knows what is happening? Thanks! EDIT: When I submitted this post, happened exactly the same thing!! All style tags are gone! HTML code in a textarea - El Forum - 02-11-2013 [eluser]Aken[/eluser] Do you have global XSS filtering enabled in your config file? HTML code in a textarea - El Forum - 02-11-2013 [eluser]Salvador P.[/eluser] Yes it's enabled. HTML code in a textarea - El Forum - 02-11-2013 [eluser]Unknown[/eluser] What about native php array $_POST ? and try to disable most of security options. HTML code in a textarea - El Forum - 02-11-2013 [eluser]Salvador P.[/eluser] Thanks for your replies Aken and freeman204! Tried with $_POST and same result if the XSS_Filtering is enabled. Now I have tried with XSS_filtering disabled, and cleared all caches, and there they are!! We've got back the style tags! So XSS_filtering is getting rid of the style tags... but we need the XSS_filtering enabled. Searching for a solution got this: We can use $this->input->post('some_name', TRUE); to enable XSS_filtering in each field of the form, with the global xss filtering disabled. After some tests: With config.php $config['global_xss_filtering'] = TRUE; Code: $this->input->post('some_name'); With config.php $config['global_xss_filtering'] = FALSE; Code: $this->input->post('some_name', TRUE); // Wrong result Got the right result, with global xss filtering false. ---- We need the $config['global_xss_filtering'] = TRUE; for security reasons. There is a way we can disable global_xss_filtering only for that controller? So we can get the correct input from the textarea, and keep the xss filtering in all the application. Thanks! HTML code in a textarea - El Forum - 02-11-2013 [eluser]Salvador P.[/eluser] Tried to put this at the beginning of the function which gets the textarea data, and at the constructor of the controller: The config.php has global_xss_filtering to TRUE. Code: $this->config->set_item('global_xss_filtering', FALSE); And doesn't work, the inputs are escaped and the style=" tags gone. EDIT. Some moderator or admin, can change the title of the post to: HTML code in a textarea (XSS filtering escapes inline tags like style = " ) The forum doesn't let me change the title of the post. Thanks! HTML code in a textarea - El Forum - 02-11-2013 [eluser]rana[/eluser] You may extend the existing xss filters and modify in such a way so that it accepts the style attribute. [quote author="Salvador P." date="1360574152"]Thanks for your replies Aken and freeman204! Tried with $_POST and same result if the XSS_Filtering is enabled. Now I have tried with XSS_filtering disabled, and cleared all caches, and there they are!! We've got back the style tags! So XSS_filtering is getting rid of the style tags... but we need the XSS_filtering enabled. Searching for a solution got this: We can use $this->input->post('some_name', TRUE); to enable XSS_filtering in each field of the form, with the global xss filtering disabled. After some tests: With config.php $config['global_xss_filtering'] = TRUE; Code: $this->input->post('some_name'); With config.php $config['global_xss_filtering'] = FALSE; Code: $this->input->post('some_name', TRUE); // Wrong result Got the right result, with global xss filtering false. ---- We need the $config['global_xss_filtering'] = TRUE; for security reasons. There is a way we can disable global_xss_filtering only for that controller? So we can get the correct input from the textarea, and keep the xss filtering in all the application. Thanks! [/quote] HTML code in a textarea - El Forum - 02-11-2013 [eluser]Salvador P.[/eluser] Didn't think about that, I'll take a look at it. Thanks rana! HTML code in a textarea - El Forum - 02-11-2013 [eluser]Salvador P.[/eluser] Got it! Solved the problem this way. Extended Security library in: application/core/MY_Security.php Copied the function _remove_evil_attributes and modified it to satisfy our requirements. Thanks all for your help! |