Login

04-28-2012, 05:45 AM

[eluser]theshiftexchange[/eluser]
Well - this is my global solution to XSS attacks. Firstly - I do not do ANY XSS cleaning on the inputs.

I run a hook on the _output - which cleans all my "view_data" (which is the variable I use to send data to the views).

I can toggle if I dont want the XSS Clean to run by inserting a "$view_data['clean_output'] = false" in my controller, which the hook checks:

Code:
if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))

   {

    // Apply to all in the list

    $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);

   }

In my case - I also have a "jquery_validation" string that must not be parsed, but the rest needs to be. My simple hack was:

Code:
// Firstly - check if we want to clean out output - do that first before doing anything else

   if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))

   {

    // Apply to all in the list

    // Except for jquery_validation - so copy that and reinsert

    $page_rules = $this->CI->view_data['jquery_validation'];

    $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);

    $this->CI->view_data['jquery_validation'] = $page_rules;

   }

Seems to be working well.