Sanitize user input from form data (input text) |
I am currently running CI3 and would like some help on how I can sanitize user input to prevent
1. XSS 2. Input such as <script>alert(some malicious code)</script> 3. HTML Injection I am using a combination of $this->db->escape_str/$this->db->esscape (Sticks quotes around the input) to save user input and htmlentities when displaying it. I am able to input <script>alert(some malicious code)</script> and it is not caught or cleaned up by the functions above. I will appreciate any help. Hirsi
well there are a few approaches, i'm on CI4 what i've done is create a utility class and use regex, i have played with it and have a few methods.
Without going into deeply i can't guarantee what i write here was my final choice, but looking into my utility class I see : Code: protected $scriptPattern= [ '<script>','</script>' ] ; So first you have to have a form or other input gathering method to get input ; Then pass that to controller or other designated class In my method i get the text entered into a text box from a form via appropriate method and assign the string to a variable called dollar input , i use php str_ireplace , $this->scriptPattern - will be what to look for and i just substitute "" in its place if found, I assign dollar ridScript variable to result and use that where ever i was going to use original input . Now for html input, i had to write near foolproof code for a CMS that my daughter would use ; pdf is produced on the fly but for reasons i won't go into I wanted to remove some html tags and leave others. Again this is the ways i've done it : Code: $myStringStripTags= strip_tags($mystring, ['p', 'a', 'h4', 'h1','h3','h2']); if memory serves me correctly, this php function allows yo uto get rode of html tags AND ALSO leave some behind. Now in my blog I need to allow user to enter paragraph tags Code: <p> </p> SO in summary, write your own class , make sure system can find it ; instantiate it somewhere where you intend to use it , pass data to handle of instantiated class ; and get cleaned stuff back using return in method of class you will have to check version of php that you are using and whether that version of php has the capability of what i'm alluding to (12-08-2021, 10:32 AM)captain-sensible Wrote: well there are a few approaches, i'm on CI4 what i've done is create a utility class and use regex, i have played with it and have a few methods. Captain: Thank you very much. It is awesome when a decent member takes the time to share his knowledge with the rest of us. It is folks like you who keep us believing in the possibilities of CI. AHirsi
You can strip the unwanted tags like Captain said, but you also should escape the output when you display the data.
In CI3 you can use html_escape() and in CI4 you can use esc().
What does "sanitize user input" mean?
It is not clear. To prevent XSS, only you have to do is escaping meta characters when you output something as HTML. You can do it with html_escape() or esc() as includebeer says. (12-08-2021, 03:28 PM)includebeer Wrote: You can strip the unwanted tags like Captain said, but you also should escape the output when you display the data. Thank you includebeer.
12-09-2021, 02:19 AM
(This post was last modified: 12-09-2021, 02:22 AM by captain-sensible. Edit Reason: clarified )
i've had problems with using esc() on CI4 to do with a CMS system, where the admin of the web app , is editing an already posted blog , and the content is stored in fields of an Sqlite database, its to do with the rendering ; it didn't work for me probably my fault rather than esc() . when i get time I will try and re-create the problem and take a snapshot.
From memory if a user enters <p> </p> into the content , then i want that rendered, which it didn't seem to do with tags and use of esc(). As i say probably an error on my part. (12-09-2021, 02:19 AM)captain-sensible Wrote: From memory if a user enters <p> </p> into the content , then i want that rendered, which it didn't seem to do with tags and use of esc(). If you want users to use HTML tags (as HTML tags), you can't simply use `esc()`. So it is not your error. In that case, you have to check the user input, and remove all tags that you don't want to use. It is very difficult thing. I recommend you use a library to parse HTML and make it clean like http://htmlpurifier.org/
(12-09-2021, 02:19 AM)captain-sensible Wrote: i've had problems with using esc() on CI4 to do with a CMS system, where the admin of the web app , is editing an already posted blog , and the content is stored in fields of an Sqlite database, its to do with the rendering ; it didn't work for me probably my fault rather than esc() . when i get time I will try and re-create the problem and take a snapshot.Not an error on your part. I don't think you can use esc() and still render some html. It will just output the html code as plain text. I solved this problem by using markdown code and a library to convert markdown to html. |
Welcome Guest, Not a member yet? Register Sign In |