Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming XSS & Active Record
XSS & Active Record
  • El Forum
    Guest
  •  
#1
06-23-2010, 03:55 AM

[eluser]AJR[/eluser]
Hi all,

I'm new to CI and just started working on my first application..

I'm using $this->input->post('field', TRUE); to XSS filter form data before inserting into the database using Active Record...

When testing for XSS I noticed that i could insert for example:

Code:
<BODY>

And this would automatically have its entities converted before being saved into the database...

However, if I was to do somthing like:

Code:
<IMG > or <>

Then the entities are not converted.

I thought that CI's XSS filter is supposed to take care of converting all entities for me? It seems silly that it converts entities in some cases but not others.

Just for info, heres how I'm inserting into the database:

Code:
// Build an array of fields with values from post - $this->_fields is my array of fields and validation rules...
            foreach ($this->_fields as $key => $value) {
                $data[$this->_fields[$key]['field']] = $this->input->post($this->_fields[$key]['field'], TRUE);
            }

            // Insert into the database
            $this->db->insert('clients', $data);
  • El Forum
    Guest
  •  
#2
06-23-2010, 08:24 AM

[eluser]AJR[/eluser]
Any ideas what im doing wrong here?

Thanks
  • El Forum
    Guest
  •  
#3
06-24-2010, 08:54 AM

[eluser]Benito[/eluser]
[quote author="AJReading" date="1277304904"]
I thought that CI's XSS filter is supposed to take care of converting all entities for me? It seems silly that it converts entities in some cases but not others.[/quote]
No it's not! That is not the purpose of that function. Please read what XSS is and how it can affect your site.
XSS Wikipedia

In the user guide it also clearly states, that:
Quote:The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things.

If you want to conver all HTML tags then use: PHP's htmlentities()
  • El Forum
    Guest
  •  
#4
06-24-2010, 09:11 AM

[eluser]AJR[/eluser]
Thanks for the reply,

I'm aware of XSS and how it can be used to exploit a website. Perhaps I missed the point of this function somewhere. I assumed it just "cleaned" everying rather than specifically looking for what It considers an XSS attack.
99% of the time the information I will be dealing with will be having their HTML entities converted anyway, in which case the XSS filtering is not needed, am I right?

Thanks
  • El Forum
    Guest
  •  
#5
06-25-2010, 07:38 AM

[eluser]Benito[/eluser]
Well the answer is yes and no. Some characters do get rendered in certain situations. Rule of thumb is to always treat user input as potentially dangerous and filter it for unwanted patterns and characters. Or you can change the logic around and only allow certain characters like
Code:
<br />, <span>, <p>
etc. but you must let your users know that all other characters will be filtered and removed ahead!
I would also encourage to read this XSS patterns article on ha.ckers.org. It has some very clear points on the topic from which I learnt a lot anno.
Cheers




Theme © iAndrew 2016 - Forum software by © MyBB