Welcome Guest, Not a member yet? Register   Sign In
Safe output
#1

Hello,
I have been thinking how to safely output data from my database using Codeigniter 3.

On input I use form validation (e.x required, alpha..) but I don't use xss_clean (I read it's bad practice).

So please tell me how to do it best way.

I would like to create really safely application so every post will be very helpful for me.

Sorry for my english Wink
Reply
#2

I'd be interested in hearing the reason why xss_clean isn't right for input data as well. As far as I'm concerned, I was never really interested in storing something in my database that xss_clean would have filtered out. Also, by using xss_clean, does it not give me a chance to stop that data from even being stored at all?
Reply
#3

See the OWASP XSS Prevention Cheat Sheet and OWASP PHP Security Cheat Sheet. They don't come right out and tell you why you should clean the output rather than the input, but the reasons are there.

Basically:
  • You usually can't clean the data again if an issue with xss_clean() is found (and fixed) in a later release if you stored the data after you cleaned it
  • XSS prevention is context-specific, and the context in which your data is used may change over time
  • It is much easier to prevent XSS in output than it is to filter input for attacks against all possible output contexts
For example, if I want to make data available via a web API in a JSON response or display it in a web page, I would use different methods of cleaning that data to prevent attacks, and the method of cleaning the data for one use may make the data unusable for the other. Alternatively, I can clean my input, store it in my database, and someone can attack the database directly instead of my website; they insert XSS exploits into my data, but I can't run xss_clean() on it again (because it will potentially corrupt data which was previously rendered safe by xss_clean()).

This doesn't mean that you just blindly dump data into your database, then clean it when you send it to the browser. Inserting into your database is a form of output, too. However, in that case you're escaping data to be safely stored in the database, not to be safely output to a web page. Further, if you detect something malicious in the input, you can reject it outright rather than playing along with the attacker.

Your code should always assume that the input it receives, whether from a form, a URL, the database, a method/function call, or anywhere else, is a potential vector for an attack. Code which generates output should use the knowledge of the current output context to escape the data to be safely displayed in that context under the assumption that the data was received from an unsafe source.
Reply
#4

Why xss_clean isn't right for input data? Because it breaks input data and you can't restore it.

Code:
input: <script>alert(1)</script>
result: [removed]alert(1)[removed]

If the input is an attack, it is no problem. But if user just wants to post sample code, it is problem.
Reply
#5

(07-01-2015, 04:38 PM)kenjis Wrote: If the input is an attack, it is no problem. But if user just wants to post sample code, it is problem.

Thank you for this very simple and specific explanation of why cleaning input with XSS_Clean is not advised.  I wish the CI and PHP docs explained it this well...
CI 3.1 Kubuntu 19.04 Apache 5.x&nbsp; Mysql 5.x PHP 5.x PHP 7.x
Remember: Obfuscation is a bad thing.
Clarity is desirable over Brevity every time.
Reply
#6

Thanks, so what function I should use to clean output? How I can do that correctly?
Reply
#7

(This post was last modified: 07-05-2015, 03:37 AM by BeYourCyber. Edit Reason: Add update reason on first line )

Update my reply at http://forum.codeigniter.com/thread-6229...#pid320192 you should go forward. Why we need to escape on output.

---

Yes I agree with you only "But if user just wants to post sample code, it is problem.".

That mean programmer (owner of that project) did not know what they did.

Some field we could not strip it via xss_clean if it want code from user for sometime.

So I thought it not problem of xss_clean but it problem of programmer's logic.

Back to question I not make sense if you want to clean output data because it use more resource when compare with clean on input.

input > clean > use 1 time clean code
output > clean > may use million time to clean it depend on time of page load

So just put the right input and clean or not clean depend on each field it will make you easier.
Reply
#8

> what function I should use to clean output?

It depends on where you output (system to output).
There are many systems you output. HTML (and HTTP header), File, Database, NoSQL, Email, CLI, Web API...

In HTML, most of cases you use CI helper `html_escape()`.
It prevents most of XSS, but if you output to some places in HTML,
`html_escape()` is still not safe enogh.
See https://www.owasp.org/index.php/XSS_%28C...es_Summary

If you want users to use some (safe) HTML tags, you can't use `html_escape()`.
Reply
#9

(07-01-2015, 11:40 PM)twpmarketing Wrote:
(07-01-2015, 04:38 PM)kenjis Wrote: If the input is an attack, it is no problem. But if user just wants to post sample code, it is problem.

Thank you for this very simple and specific explanation of why cleaning input with XSS_Clean is not advised.  I wish the CI and PHP docs explained it this well...

> XSS filtering should only be performed on output. Filtering input data may modify the data in undesirable ways, including stripping special characters from passwords, which reduces security instead of improving it.
http://www.codeigniter.com/user_guide/ge...-filtering

CI User Guide has been really improved than ever.
I recommend to read General Topics again if you read it in the past (and also Upgrading From a Previous Version if you upgrade).
Reply
#10

(07-02-2015, 08:14 AM)BeYourCyber Wrote: Back to question I not make sense if you want to clean output data because it use more resource when compare with clean on input.

input > clean > use 1 time clean code
output > clean > may use million time to clean it depend on time of page load

So just put the right input and clean or not clean depend on each field it will make you easier.

What you say is logically right. But is not the best security practice. I mean it is dangerous,
because you can't make single mistake. And code reviewers must check input filtering is correct.

And how to "clean" for output is depends on output system.

Finally, the specification of xss_clean() is very complex.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB