Login

thorium369 · 08-11-2018, 06:35 AM

Hi friends,

I have a web application that accepts comments using a WYSIWYG editor (having basic formatting like bold, italics, heading, lists, etc).

I am trying to allow users to also enter manually typed html like:

Quote:This is manually typed content
This is formatted content

Here the 1st line is html that's manually typed by user, and second line is text formatted using the wysiwyg editor.

This input then gets stored in my database as (with html entities encoded):

Quote:This is manually typed content
This is formatted content

Now before displaying when I run this through "$this->security->xss_clean()", the output of xss_clean() is:

Quote:This is manually typed html
This is formatted content

So on echoing this in browser both lines come out as bold text, whereas I want only the formatted text to be treated as html.

Another issue is that xss_clean() url-decodes the text passed to it, so in some cases the text having "%" with some trailing alphabets get converted to a special character.

I understand a lot of stuff that xss_clean() does is for security reasons and my app has never suffered any xss attacks until now thanks to it. But I would like an alternative that would preserve html entities & not url decode text while filtering for XSS.

So my question is, are there any good alternatives to xss_clean() which someone is using that can solve these 2 issues while also doing xss filtering?
I am aware of HTML purifier, but would like to know if there are any other good alternatives.

P.S. I am aware that the % sign issue has been reported on CI's github issues & is marked closed, because removing it is a security concern : https://github.com/bcit-ci/CodeIgniter/issues/5125
Haven't found anything else related in CI's Github issues, and searching "xss_clean" retrieves a lot of results on this forum. I went through a few pages but couldn't find something relevant. So forgive me for not being able to find a topic where this has been discussed before.
Thanks!