Login

edoramedia · 05-22-2016, 01:05 AM

In theory I completely understand what is being said here and how we should not manipulate the data that is saved in the database (hence why xss_clean has been depreciated from the form validation); however can someone please explain it in the below example:

We have a login page with:
email: _________
password: _________

How do I make sure that that XSS attach does not happen here? In other words how do I escape the output? or what should I do in terms of filtering the input?

***kenjis*** · 05-22-2016, 02:01 AM

What's your output?

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

edoramedia · 05-22-2016, 02:11 AM

(05-22-2016, 02:01 AM)kenjis Wrote: What's your output?

Output is basically user details according to the email/password combo which is then stored in a SESSION.

***kenjis*** · 05-22-2016, 02:36 AM

Basically you escape the output with using `html_escape()` in your view files.
https://www.codeigniter.com/userguide3/h...eld-values
It is an alias for `htmlspecialchars()`.

But in some places, using `html_escape()` is not enough.
See https://www.owasp.org/index.php/XSS_%28C...es_Summary

ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper

ivantcholakov · 05-22-2016, 07:29 AM

In addition to the existing function html_escape() I've got functions for escaping in other contexts:

Code:
// Escapers

// html_escape() already has been implemented.

if (!function_exists('html_attr_escape')) {

    function html_attr_escape($string) {

        $twig = & _get_simple_twig_instance();

        return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'html_attr');

    }

}

if (!function_exists('js_escape')) {

    function js_escape($string) {

        $twig = & _get_simple_twig_instance();

        return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'js');

    }

}

if (!function_exists('css_escape')) {

    function css_escape($string) {

        $twig = & _get_simple_twig_instance();

        return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'css');

    }

}

if (!function_exists('url_escape')) {

    function url_escape($string) {

        $twig = & _get_simple_twig_instance();

        return call_user_func($twig->getFilter('escape')->getCallable(), $twig, $string, 'url');

    }

}

if (!function_exists('_get_simple_twig_instance')) {

    function & _get_simple_twig_instance() {

        static $instance = null;

        if (!isset($instance)) {

            $instance = new Twig_Environment(

                new Parser_Twig_Loader_String,

                array(

                    'debug' => false,

                    'charset' => config_item('charset'),

                    'base_template_class' => 'Twig_Template',

                    'strict_variables' => false,

                    'autoescape' => 'html',

                    'cache' => false,

                    'auto_reload' => null,

                    'optimizations' => -1,

                )

            );

        }

        return $instance;

    }

}

// End Escapers

I use the internal escapers of Twig because I already have it. But it is not necessary you to install Twig in your system, you can easily rewrite the bodies of these helper functions by using the small component Zend\Escaper https://github.com/zendframework/zend-escaper It has the same routines inside, install it with Composer.

cartalot · 05-22-2016, 12:21 PM

Note that in the first link that Kenjis cited - that for echoing out a value in a form field - you don't have to use that function IF you are using the Codeigniter form helper. The form helper makes it much faster to build out form fields, and having that security there automatically is also a big plus.