XML RPC > html in response > htmlspecialchars + javascript stripping

[eluser]HdotNET[/eluser]
Hi there,

Building an XMLRPC server application.

The problem I am having is that I need to send html as a response, however the response is being recieved escaped using htmlspecialchars.

ie, this:

Code:

<html>
<body>
This is some text.
<script>
var thing="blah";
</script&rt;
</body>
</html>

becomes this in the response:

EDIT: Spaces put in artificially after ampersands to prevent the browser rendering them as entities.

Code:

<?xml version="1.0" encoding="UTF-8"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member>
<name>htmloutput</name>
<value>
<string>& lt;html& gt;& lt;body& gt;This is some text.& lt;script& gt; var thing=& quot;blah& quot;;& lt;/script& gt;& lt;/body& gt;& lt;/html& gt;</string>
</value>
</member>
</struct></value>
</param>
</params>
</methodResponse>

and once the client outputs the result, the script tag has also been stripped:

Code:

& lt;html& gt;& lt;body& gt;This is some text. var thing="blah";& lt;/body& gt;& lt;/html& gt;

My testing here is using the example lifted straight form the manual:


http://ellislab.com/codeigniter/user-gui...mlrpc.html

Except the server response is formulated as follows:

Code:

$string = '<html><body>This is some text. var thing="blah";</body></html>';
        
        $response = array (
                   array(
                         'htmloutput' => array($string, 'string')
                        ),
                 'struct'
                 );

Looking through the XML-RPC code I can see that htmlspecialchars is used, while not ideal I suppose I can get round that with htmlspecialchars_decode. Or alternativley alter the library so as to allow it to send html using cdata


I haven't yet found how the tags are being removed, which is somewhere in the client library.

So my question is ...

How the hell do I send html with javascript?

Or shoudl I RTFM a bit more ;-)?
http://www.xmlrpc.com/spec

[eluser]HdotNET[/eluser]
k... looked further.

the xmlrpc class is cleaning the output using the CI input->xss_clean() method.

it happens within the xmlrpc->decode()
(called by send_request within the xmlrpc_client controller)

commenting a couple of lines solves the the script tag removing problem.

why is the data being xss cleaned here?

Code:

function decode($array=FALSE)
    {
    
        $CI =& get_instance();

        if ($array !== FALSE && is_array($array))
        {
            while (list($key) = each($array))
            {
                if (is_array($array[$key]))
                {
                    $array[$key] = $this->decode($array[$key]);
                }
                else
                {
                    //HDOTNET
                    //$array[$key] = $CI->input->xss_clean($array[$key]);
                }
            }
            
            $result = $array;
        }
        else
        {
            $result = $this->xmlrpc_decoder($this->val);
            
            if (is_array($result))
            {
                $result = $this->decode($result);
            }
            else
            {
                //HDOTNET
                //$result = $CI->input->xss_clean($result);
            }
        }
        
        return $result;
    }

[eluser]HdotNET[/eluser]
... well silence is deafening here, but suppose it is the weekend.

I'm not sure the default XMLRPC library is actually working as expected, so I may have uncovered a bug.

The manual states we input->xss_clean

[email=http://ellislab.com/codeigniter/user-guide/libraries/input.html]http://ellislab.com/codeigniter/user-guide/libraries/input.html[/email]

The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.

also

If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.php file

$config['global_xss_filtering'] = FALSE in my config.php therefore I believe the XMLRPC class may not be behaving as it should, as it using the xss_clean function on the received data regardless of the config file setting.

Here's how the decode method should look:

Code:

function decode($array=FALSE)
    {
    
        $CI =& get_instance();

        if ($array !== FALSE && is_array($array))
        {
            while (list($key) = each($array))
            {
                if (is_array($array[$key]))
                {
                    $array[$key] = $this->decode($array[$key]);
                }
                elseif($CI->config->item('global_xss_filtering') == TRUE)//HDOTNET
                {
                    
                    $array[$key] = $CI->input->xss_clean($array[$key]);
                }
            }
            
            $result = $array;
        }
        else
        {
            $result = $this->xmlrpc_decoder($this->val);
            
            if (is_array($result))
            {
                $result = $this->decode($result);
            }
            elseif($CI->config->item('global_xss_filtering') == TRUE)//HDOTNET
            {
                
                $result = $CI->input->xss_clean($result);
            }
        }
        
        return $result;
    }

would love it if someone could jump and tell me if I'm missing the point here.

[eluser]HdotNET[/eluser]
Wondering whether to post this as bug a or not.

The user guide implies that the XSS filter is not used by default, and must be turned on via the config file.

Yet the XML-RPC class is xss cleaning the data regardless of any setting in the config.

Anyone care to comment?

[eluser]jeffpeck[/eluser]
I am also having an issue where the xmlrpc xss cleaner is altering some html. I am just going to modify the code. I hope that this is fixed in the next version.7

[eluser]HdotNET[/eluser]
so maybe I am right....

[eluser]Phil Sturgeon[/eluser]
Don't use XMLRPC, use REST. Much more fun to work with. :-)

[eluser]jeffpeck[/eluser]
As for the html entities, that is not a bug. HTML tags must be encoded before being sent so to not confuse with the xml, and therefore need to be decoded on return.

It is more an issue that I should be able to choose whether I want to xss clean everything that comes through XMLRPC, just like I can do with POST and GET. I understand that one might want to remove any malicious code from a response, for example if one were to use XMLRPC as a web service backend to a public blog where you can't have people posting [removed] tags in their blog entries to steal cookies, etc. But in a controlled environment where you need the ability to send unaltered HTML, this is a major drawback.

I do not like the idea of editing the files in the /system/ directory since then I have to remember to change it when there is an update.

I am currently working on finding a nice clean way to encode/decode any strings that are sent or received so the XSS cleaner won't even recognize them.

[eluser]jeffpeck[/eluser]
I have given up on trying to make some text encoding/decoding methods and simply commented out the lines that use the XSS cleaner and added one line. For reference, in the file system/libraries/Xmlrpc.php:

Line 516:

Code:

// $array[$key] = $CI->input->xss_clean($array[$key]);

Line 532:

Code:

// $result = $CI->input->xss_clean($result);

Line 1130:

Code:

// $array[$key] = $CI->input->xss_clean($array[$key]);

Line 1150:

Code:

$parameters[] = $a_param;
// $parameters[] = $CI->input->xss_clean($a_param);

Note, I am not using REST because I am an interacting with an interface in Flex.

[eluser]Phil Sturgeon[/eluser]
This REST client looks alright to me. It can be used at a basic level to just output XML and the useage is much easier, nothing to lose. :-)