| Issue with CI XSS option - Convert html entity string |
|
Hello,
I'm facing an issue while sending html entity string POST method. My Input is : <p>die sich Fremdvergleichs- grundsatz ( « arm’s lengths principle » ) nennt. Dabei geht das</p> CI input->post method's output is : <p>die sich Fremdvergleichs- grundsatz ( « arm’s lengths principle » ) nennt. Dabei geht das</p> My XSS option is enabled and while debugging the code, I found that security class replace html entity name to it's value. Is there any way to use XSS option and get same html entity string? I'm using CI 3.0.3 version. Thanks, Priyank
You should not use XSS on you input process (validating the input, storing it in your db etc), you should use XSS filtering only in your output process for noumerious reasons. This has been discussed noumerious times on the forum
https://www.codeigniter.com/user_guide/l...input.html
You don't have to use XSS option or XSS filtering at all.
It changes your input data in many ways. I have never used it. (03-20-2016, 01:44 AM)kenjis Wrote: You don't have to use XSS option or XSS filtering at all. Hi Kenjis, Do I need to use own custom methods for XSS filtering? Really, I'm not favor of directly storing vulnerable data into database and do XSS filter on output. BTW, I found a solution for this issue, I just changed charset value from UTF-8 to ISO-8859-5. Now, In CI Security class html entity decode method give me same output as given. Thanks, Priyank (03-20-2016, 10:23 AM)Priyank Wrote:(03-20-2016, 01:44 AM)kenjis Wrote: You don't have to use XSS option or XSS filtering at all. Storing blindly-sanitized data into the database is what will make it vulnerable. (03-20-2016, 10:59 AM)Narf Wrote:(03-20-2016, 10:23 AM)Priyank Wrote:(03-20-2016, 01:44 AM)kenjis Wrote: You don't have to use XSS option or XSS filtering at all. True.. but if I store input data without xss filter then I need to apply xss filter on view. As per my understanding both input side or output side filter will do same change in data. As you told in your last reply you never used XSS Option so Do you know any other way?
Generally accepted practices currently state that you only escape when you need to - in this case on output in the view, and also when saving to the database. The difference being that you're escaping for different things.
So - saving to database, use your databases' escape method. Showing in a view, use htmlspecialchars (or xss_clean, or whatever your template engine provides, if using one). Is it part of a URL? Then it'll need to be escaped slightly differently than just htmlspecialchars. The reason for this is that if you xss_clean it as input, then you limit your options, possibly permanently mangling the data, even though you might need the raw version somewhere down the line. Other possible solutions are PHP's filter_var() and similar commands. Those can be used for both validation and sanitization. Unfortunately, security is complex, and we should all constantly learn more about it. But don't skip it! (03-20-2016, 07:42 PM)Priyank Wrote:(03-20-2016, 10:59 AM)Narf Wrote: Storing blindly-sanitized data into the database is what will make it vulnerable. I've said no such thing in my last reply (and I didn't have any other reply in this thread). Yes, you need to apply XSS filtering in the view - that is the only proper way to do it. You're trying to avoid the only correct solution. (03-21-2016, 01:12 AM)Narf Wrote:(03-20-2016, 07:42 PM)Priyank Wrote:(03-20-2016, 10:59 AM)Narf Wrote: Storing blindly-sanitized data into the database is what will make it vulnerable. Ah.. It was not you Narf. I'm talking about kenjis's reply. "kenjis Wrote: [url=http://forum.codeigniter.com/post-330215.html#pid330215][/url]You don't have to use XSS option or XSS filtering at all. It changes your input data in many ways. I have never used it."
I never use the XSS filter in CodeIgniter.
Because I don't believe it is safe. Do you know how many times there were vulnerabilities in it in the past? (But I think it is getting safer than ever.) Because it changes input data with very complex rules. I can't predict the output. And it changes input data permanently. I can't get the raw data after filtering with it. I use html_escape() in views. It is a CodeIgniter helper for using htmlspecialchars(). https://www.codeigniter.com/userguide3/g...tml_escape But it is not also perfect. If you want input data to include specific HTML tags, you can't use it. In that case, I use HTML Purifier http://htmlpurifier.org/. If you want to output input data in danger parts like inside <script> elements, the places you can write URLs, it can't prevent from XSS attack perfectly. I recommend you not output user data in danger parts in views. |
| Welcome Guest, Not a member yet? Register Sign In |
