Welcome Guest, Not a member yet? Register   Sign In
Preventing XSS injection in querystring
#1

I have a CI3 site that is vulnerable to XSS injection via the querysting:

https://thesite.com/search?q=x'><svG onLoad=alert(document.domain)>

I have all inputs going through
Code:
$this->input->get('q', true)
so it's protected at the server end but still runs when the page is loaded with the malicious querystring.

How can the execution of the javascript be prevented?
Reply
#2

Show how you are using it.
Reply
#3

(12-19-2017, 07:38 AM)skunkbad Wrote: Show how you are using it.

When receiving the inputs, loops through each in the querystring:

Code:
if ( ! empty( $_GET[ $field ] ) ) {
  $query[ $field ] = $this->input->get( $field, true );
}

The thing I don't get is that deals with server side and the JS is being executed client side. So is there detection where you could reload with an escaped version of the URL? Or redirect to an error page if detected?
Reply
#4

From what I've seen, JavaScript has a way of turning HTML entities back into their decoded counterparts. For you that means that the html_escape function and using the second parameter of the input class's get method may not be enough if you are using the values in JavaScript.

In your code, you end up with an array named $query. How do you use that?

Recently, @ivantcholakov replied to a post I had written: https://forum.codeigniter.com/thread-693...#pid348960 . In that post, he recommended Zend Escaper, which for my particular needs was the perfect solution. I even created a helper function to make it super easy to use:

PHP Code:
<?php

/**
 * To make it easy to use a json string in an HTML
 * element's data attribute, we can use this function
 * which will swap out all instances of single and double
 * quotes.
 */
function json_encode_for_attr($x)
{
    
$CI =& get_instance();
    
$CI->load->library('escaper'config_item('charset'));

    return 
$CI->escaper->escapeHtmlAttrjson_encode($x) );


In my case I am using this function to escape characters for insertion into HTML attributes, where I like to json_encode arrays for use by JavaScript. Without Zend Escaper's method, JavaScript would run the contents of the attribute as decoded entities, even though the values had been passed through html_escape.

So, even though you haven't shown what your doing with that $query array, you just need to know that CodeIgniter's escaping is not thorough enough in some cases. Show how you are using that $query array, and somebody here will be able to recommend a solution that works for you.
Reply
#5

You can only make your server-side code filter this out when it generates links itself, but you can't otherwise prevent it ... That would mean preventing users from writing it in their browser address bars - simply not possible.
Reply
#6

Code:
function clean($string) {
  $string = str_replace(' ', '-', $string); // Replaces all spaces with hyphens.

  return preg_replace('/[^A-Za-z0-9\-]/', '', $string); // Removes special chars.
}
Code:
echo clean('a|"bc!@£de^&$f g');

Will output: abcdef-g
Reply
#7

You can try this code 

$comment = strip_tags($string);
Reply
#8

(This post was last modified: 12-28-2017, 06:51 AM by jreklund. Edit Reason: Added a side note to jihob. )

@jhob:
Remove the second value (true), it's not recommended to strip for XSS before inserting it into the database. That can leave you open to database truncated XSS attacks. You should validate your data on what you are expecting instead. Do the user specify only e-mail? Validate against that. Only numbers? Validate against that. And so forth.
Note: In your case with only searching, it dosen't matter. But I guess you are using it on every GET/POST as well.

@rolly:
A note regarding your regex, if the code got UTF8 you will need to add the letter 'u' at the end of the regex. Depending on what the user supplies, it can be helpful function.

@XtreemDeveloper:
That's not a good recommendation. It will leave you open to XSS attacks in ALL html attributes. You will need to escape the data depending on where you are using it.

Here's some good resources regarding the matter. The built in html_escape in CI are the same as htmlspecialchars and should only be used in "HTML BODY" if you don't want the HTML to be rendered. For everything else you need to need to take extra precautions.
https://www.owasp.org/index.php/XSS_(Cro...es_Summary
https://paragonie.com/blog/2015/06/preve...-need-know
Reply




Theme © iAndrew 2016 - Forum software by © MyBB