Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Question about Cross Site Scripting (XSS) Filter Implementation
Question about Cross Site Scripting (XSS) Filter Implementation
  • El Forum
    Guest
  •  
#1
03-30-2009, 05:30 AM

[eluser]geoffa[/eluser]
I'm working on a site that let's users edit HTML snippets and preview the results on the same page: <a href="http://showmehtml.com/">http://showmehtml.com/</a>

I had this feaure enabled with jQuery but removed it after being educated about cross site scripting attacks (XSS). I know CodeIgniter has a server-side XSS filter but wasn't sure how exactly to implement it in my particular situation.

In theory it seems like I could do the following:
- Have each form post via AJAX to a server-side script that runs the XSS filter
- Return the sanitized results to the page

Questions I have about this approach:
- Multiple forms on one page? Doesn't seem like it would work.
- Does the XSS filter remove markup entirely or just harmful markup? Since my site's purpose is to help people learn HTML, filtering all markup out wouldn't really work.

Thanks in advance for any advice. I'm going to work through some of these issues tonight but wanted to consults the experts first Smile

-geoff
  • El Forum
    Guest
  •  
#2
03-30-2009, 06:48 AM

[eluser]TheFuzzy0ne[/eluser]
xss_clean only removes tags/data that could potentially be harmful. It shouldn't touch any legit mark-up.

As for submitting multiple forms, I think you have three options:
1) Combine the forms into one, so you only have a single form.
2) Collect the data from all forms at once and then submit that. You'd then need to be able to differentiate between the returned data sets in order to process the reply for each form.
3) Submit each form as a separate request.
  • El Forum
    Guest
  •  
#3
03-30-2009, 06:18 PM

[eluser]geoffa[/eluser]
Thanks for the prompt reply. I was able to get the XSS filter working this afternoon by posting to CodeIgniter with jQuery/AJAX and it works great. I'm able to edit an example and render it back to the page without a refresh (tags and all). I was doing this before using jQuery exclusively on the client-side but adding in the XSS filter makes it feel safer to me.

I'm still working through getting each form to post separately.

Thanks again.
  • El Forum
    Guest
  •  
#4
04-06-2009, 06:47 PM

[eluser]geoffa[/eluser]
I now have this working exactly like I wanted it. The XSS filter works great along with an AJAX jQuery post request (click the source icon and edit): <a href="http://showmehtml.com">showmehtml.com</a>

Thanks again for the help.
  • El Forum
    Guest
  •  
#5
04-06-2009, 08:35 PM

[eluser]Thorpe Obazee[/eluser]
@geoffa. Nice site, but you should make the textarea for editing markup bigger.

2cents.
  • El Forum
    Guest
  •  
#6
04-07-2009, 01:09 PM

[eluser]geoffa[/eluser]
Thanks for the feedback. I've made the textareas a little more roomy.




Theme © iAndrew 2016 - Forum software by © MyBB