Safe output |
Hello,
I have been thinking how to safely output data from my database using Codeigniter 3. On input I use form validation (e.x required, alpha..) but I don't use xss_clean (I read it's bad practice). So please tell me how to do it best way. I would like to create really safely application so every post will be very helpful for me. Sorry for my english
I'd be interested in hearing the reason why xss_clean isn't right for input data as well. As far as I'm concerned, I was never really interested in storing something in my database that xss_clean would have filtered out. Also, by using xss_clean, does it not give me a chance to stop that data from even being stored at all?
See the OWASP XSS Prevention Cheat Sheet and OWASP PHP Security Cheat Sheet. They don't come right out and tell you why you should clean the output rather than the input, but the reasons are there.
Basically:
This doesn't mean that you just blindly dump data into your database, then clean it when you send it to the browser. Inserting into your database is a form of output, too. However, in that case you're escaping data to be safely stored in the database, not to be safely output to a web page. Further, if you detect something malicious in the input, you can reject it outright rather than playing along with the attacker. Your code should always assume that the input it receives, whether from a form, a URL, the database, a method/function call, or anywhere else, is a potential vector for an attack. Code which generates output should use the knowledge of the current output context to escape the data to be safely displayed in that context under the assumption that the data was received from an unsafe source.
Why xss_clean isn't right for input data? Because it breaks input data and you can't restore it.
Code: input: <script>alert(1)</script> If the input is an attack, it is no problem. But if user just wants to post sample code, it is problem.
(07-01-2015, 04:38 PM)kenjis Wrote: If the input is an attack, it is no problem. But if user just wants to post sample code, it is problem. Thank you for this very simple and specific explanation of why cleaning input with XSS_Clean is not advised. I wish the CI and PHP docs explained it this well...
CI 3.1 Kubuntu 19.04 Apache 5.x Mysql 5.x PHP 5.x PHP 7.x
Remember: Obfuscation is a bad thing. Clarity is desirable over Brevity every time.
Thanks, so what function I should use to clean output? How I can do that correctly?
07-02-2015, 08:14 AM
(This post was last modified: 07-05-2015, 03:37 AM by BeYourCyber. Edit Reason: Add update reason on first line )
Update my reply at http://forum.codeigniter.com/thread-6229...#pid320192 you should go forward. Why we need to escape on output.
--- Yes I agree with you only "But if user just wants to post sample code, it is problem.". That mean programmer (owner of that project) did not know what they did. Some field we could not strip it via xss_clean if it want code from user for sometime. So I thought it not problem of xss_clean but it problem of programmer's logic. Back to question I not make sense if you want to clean output data because it use more resource when compare with clean on input. input > clean > use 1 time clean code output > clean > may use million time to clean it depend on time of page load So just put the right input and clean or not clean depend on each field it will make you easier.
> what function I should use to clean output?
It depends on where you output (system to output). There are many systems you output. HTML (and HTTP header), File, Database, NoSQL, Email, CLI, Web API... In HTML, most of cases you use CI helper `html_escape()`. It prevents most of XSS, but if you output to some places in HTML, `html_escape()` is still not safe enogh. See https://www.owasp.org/index.php/XSS_%28C...es_Summary If you want users to use some (safe) HTML tags, you can't use `html_escape()`. (07-01-2015, 11:40 PM)twpmarketing Wrote:(07-01-2015, 04:38 PM)kenjis Wrote: If the input is an attack, it is no problem. But if user just wants to post sample code, it is problem. > XSS filtering should only be performed on output. Filtering input data may modify the data in undesirable ways, including stripping special characters from passwords, which reduces security instead of improving it. http://www.codeigniter.com/user_guide/ge...-filtering CI User Guide has been really improved than ever. I recommend to read General Topics again if you read it in the past (and also Upgrading From a Previous Version if you upgrade). (07-02-2015, 08:14 AM)BeYourCyber Wrote: Back to question I not make sense if you want to clean output data because it use more resource when compare with clean on input. What you say is logically right. But is not the best security practice. I mean it is dangerous, because you can't make single mistake. And code reviewers must check input filtering is correct. And how to "clean" for output is depends on output system. Finally, the specification of xss_clean() is very complex. |
Welcome Guest, Not a member yet? Register Sign In |