Global XSS filtering bypass |
[eluser]Anestetikas[/eluser]
Hi, I use the global xss filtering for my codeigniter projects, but for one particular textarea I need to use rich text editor. So could somebody explain me how can I bypass global filtering for only one field. I have found some topics on this subject, but all of those were suggesting to alter system files, witch is not what I want to do.
[eluser]zechdc[/eluser]
Check out my post on stackoverflow: http://stackoverflow.com/questions/38997...9#11525519 I posted content below, but it won't be the most up-to-date. I like updating it better on stackoverflow. The global XSS Filtering is only escaping (or converting) certain "dangerous" html tags like `<html>` Simple Workaround: ==== 1. Set `$config['global_xss_filtering'] = TRUE;` 2. Run your POST data through HTMLPurifier to remove any nasty `[removed]` tags or javascript. - [HTMLPurifier Docs][1] - [HTMLPurifier Codeigniter Integration][2] 2. On the page where you receive the forms `POST` data use `html_entity_decode()` to undo what XSS filtering did. //by decoding first, we remove everything that XSS filter did //then we encode all characters equally. $content = html_entity_decode($this->input->post('template_content')) 2. Then immediately run it through htmlentities() $content = htmlentities($content); 3. Store as a `Blob` in MySQL database 4. When you want to display the information to the user for editing run `html_entity_decode()` This is how I did it. If anyone knows of a major flaw in what I did, please tell me. It seems to be working fine for me. Haven't had any unexpected errors. [1]: http://htmlpurifier.org/docs [2]: https://github.com/refringe/codeigniter-htmlpurifier |
Welcome Guest, Not a member yet? Register Sign In |