Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion XSS Global clean
XSS Global clean
  • El Forum
    Unregistered
  •  
#1
06-17-2009, 10:01 AM

[eluser]Mat-Moo[/eluser]
I have this enabled as a matter of security (But still do some checking as well), but I have a new special controller I am writing that picks up an rss feed as a post which I need NOT to be sanitised. From what I've read on here I have to disable global CSS then add it to all my inputs (grrr) - or is there another way? [even print_r($_POST) is sanitised].

Any other input on this is welcome !
  • El Forum
    Unregistered
  •  
#2
06-17-2009, 10:15 AM

[eluser]Dam1an[/eluser]
you could extend the input class, and override the sanitize globals function, so that it doesnn't include the $_POST array (line 141)
Assuming you use
Code:
$this->input->post('item');
instead of
$_POST['item'];
In the rest of the application, you should be fine

If you find yourself needint to sanitize the POST array, you could call the _clean_input_data function (which should really be private, but PHP4 lets you Wink)
  • El Forum
    Unregistered
  •  
#3
06-17-2009, 02:20 PM

[eluser]Mat-Moo[/eluser]
Hmm, not convinced by that. Could I use a hook to disable the global xss when it's this one controller? Never really looked at hooks before.
  • El Forum
    Unregistered
  •  
#4
06-17-2009, 02:30 PM

[eluser]Dam1an[/eluser]
If you did do it in a hook, you would have to use a pre_system hook, as thats your only chnce before the input class gets initialised
The problem is the router class has not yet been loaded at this point, so you'll have to load it yourself in the hook using
Code:
$RTR =& load_class('Router'); // Taken from CodeIgniter.php
if($RTR->class == 'the_controller') {
  ... do something
}

Although I'm not sure what 'do something' would be, as I'm not sure if it's a good idea to change config values on the fly like that (anyone?)
  • El Forum
    Unregistered
  •  
#5
06-17-2009, 02:40 PM

[eluser]Dregond Rahl[/eluser]
could do one other thing, disable Global XSS Filter, and just modify (or even extend) the input library to have the default to $xss_clean = TRUE, then you can set specifically the inputs in that controller to be FALSE.

Code:
function post($index = '', $xss_clean = FALSE)
    {
        return $this->_fetch_from_array($_POST, $index, $xss_clean);
    }
  • El Forum
    Unregistered
  •  
#6
06-17-2009, 04:33 PM

[eluser]xwero[/eluser]
A crude way would be to add a url check in the config.php file
Code:
$config['global_xss'] = ( ! in_array($_SERVER['REQUEST_URI'], array('/controller/method')) ? true : false;




Theme © iAndrew 2016 - Forum software by © MyBB