XSS and Ampersands

[eluser]Unknown[/eluser]
Im having a strange problem that I think may be a bug with the XSS filter code in CI.

When I enable XSS on a _POST value, containing the data:

H&LLO;WORLD

The XSS filter adds a colon to the end of the word, so I get

H&LLO; WORLD

The only way to remove this behaviour is to remove the XSS checking on the _POST value.

Im using the latest code igniter with postgres. I dont have Mysql installed so im not sure if this issue is postgres specific.

Anyone else experienced this issue?

[eluser]Derek Allard[/eluser]
This is part of the security checks as it is possible for a "bad person" ™ to try to sneak in XSS code in a malformed special character.

I actually just encountered this problem in EE, and we tweaked the xss a bit. Let me see if I can find that change and see if it would apply to your situation as well.

[eluser]Jon L[/eluser]
Derek, may I ask what the XSS tweak was?

I'm having a similar issue to valid content not getting through filters. i'm sure there's a valid reason to reject content based on the following characters:

Code:

<<

but what i'm doing is building a forum where users should be able to post code. i've tested with a bit of C++ code, but the double left arrow shown above triggered the XSS filter, so from that point forward it was removed from the string.


hmmm, or i could be wrong, the double arrow could be showing a problem with the PHP code trying to process that string. I'll have to check, but regardless, I'm interested in what your XSS change is :-)

thanks!


EDIT: n/m, my assumption that it was being filtered by XSS was incorrect, turns out the double arrow is being lost elsewhere

[eluser]ScottR[/eluser]
Derek are you able to post your fix for this?

As I run a games site a lot of people are posting C&C3;or C&C;(Command and Conquer) and whenever they do the text becomes C&C; or C&C3; with an unwanted semicolon added to the end.

Thanks scott!

[eluser]ScottR[/eluser]
Interesting, it appears that the bug happens here in the CI forums also.

The & ampersand character should be getting replaced with & amp; (added the space so it would show in the forums).

[eluser]Derek Allard[/eluser]
Scott, to followup on this. I'm not sure that it has been solved... I can't find any fix. The input.php library is adding it around line 541. You could add in some conditionals in there to fix it, but I'm hesitant to give advice around this, as XSS prevention is an essential part of any framework. This is a classic case of security vs convenience right now, and CI never every sacrifices security.

I'll keep looking.

[eluser]ScottR[/eluser]
I looked at the EE code base and noticed it does not fix the issue either. It simple puts in a hack to prevent this issue from wreaking URLs.

My solution to this issue is to replace:

Code:

$str = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $str);
$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);

with:

Code:

$str = str_replace('&', '&', $str); // SR: Hack to stop C&C;getting converted to C&C;
$str = preg_replace('#&(\#?[0-9a-z]+)(\S+);#', "&\\1\\2;", $str);

I don't believe this change compromises security. What it does is replaces lone ampersands with & amp; and ensures entities are not double encoded i.e. & amp;gt; (ignore the spaces, put them in to stop CI converting the code)