Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Why does XSS filtering absolutely not work ?
Why does XSS filtering absolutely not work ?
  • El Forum
    Guest
  •  
#11
10-03-2010, 06:00 PM

[eluser]Twisted1919[/eluser]
Code:
//easy way
$str = $this->input->post('str',TRUE);
$str = strip_tags($str);
//HTML PURIFIER //You need to install the lib
$str = $this->input->post('str',TRUE);
$str = $this->purifier->purify($str);
strip_tags() may and will give unexpected results sometimes(it simply removes all the html tags, if the second parameter is left empty), while html purifier makes sure that the output will always be valid html . It also apply filters against xss attacks and it does it very well (i don't think is something else out there to clean as html purifier does, but is not too lightweight).

However, you need to document yourself about what xss means(bold/italic/ & co are not really a threat for making xss available), to have a basic understanding on how your app might be exposed .
  • El Forum
    Guest
  •  
#12
10-03-2010, 10:05 PM

[eluser]kenjis[/eluser]
What exactly do you want to do?

If you want to see "<i>Blah blah</i>" in your browser in stead of italic "Blah blah",
only you have to do is to use htmlspecialchars() function in view file.

eg,
htmlspecialchars($name, ENT_QUOTES, 'UTF-8')
  • El Forum
    Guest
  •  
#13
10-04-2010, 04:37 AM

[eluser]Twisted1919[/eluser]
[quote author="Kenji @ CodeIgniter Users Group in Japan" date="1286183129"]What exactly do you want to do?

If you want to see "<i>Blah blah</i>" in your browser in stead of italic "Blah blah",
only you have to do is to use htmlspecialchars() function in view file.

eg,
htmlspecialchars($name, ENT_QUOTES, 'UTF-8')[/quote]
Don't learn people to stupid stuff Smile
  • El Forum
    Guest
  •  
#14
10-04-2010, 07:25 AM

[eluser]sikko[/eluser]
Humm ok, so xss cleaning is not really what I need. What I actually need, is a htmlentities/htmlspecialchars like function. But I wanted it to be automatic.
I don't wan't to put a
Code:
$name = htmlspecialchars($this->input->post('name'), ENT_QUOTES, 'UTF-8')
Everytime I want to retrieve a POST variable you see ?

And as a good framework, I thought codeigniter had some features like that... Maybe I'm wrong...
  • El Forum
    Guest
  •  
#15
10-04-2010, 07:29 AM

[eluser]Dennis Rasmussen[/eluser]
No "I don't see".
Why should we all suffer from having to enable html just because you want it disabled?
Sure the CI team could add in a parameter or a method to filter html, but so can you Smile
  • El Forum
    Guest
  •  
#16
10-04-2010, 01:01 PM

[eluser]Santiago Dimattía[/eluser]
Just extend the Input class and do whatever you want with the POST data Smile

Creating Libraries > Extending Native Libraries

Code:
&lt;?php (defined('BASEPATH')) OR exit('No direct script access allowed');

class MY_Input extends CI_Input
{
    /**
    * Fetch an item from the POST array
    *
    * @access    public
    * @param    string
    * @param    bool
    * @return    string
    */
    function post($index = '', $xss_clean = FALSE)
    {
        return htmlspecialchars($this->_fetch_from_array($_POST, $index, $xss_clean), ENT_QUOTES, 'UTF-8');
    }
}

// End of file
  • El Forum
    Guest
  •  
#17
10-05-2010, 06:07 PM

[eluser]markup2go[/eluser]
[quote author="Santiago Dimattía" date="1286236877"]Just extend the Input class and do whatever you want with the POST data Smile

Creating Libraries > Extending Native Libraries

Code:
&lt;?php (defined('BASEPATH')) OR exit('No direct script access allowed');

class MY_Input extends CI_Input
{
    /**
    * Fetch an item from the POST array
    *
    * @access    public
    * @param    string
    * @param    bool
    * @return    string
    */
    function post($index = '', $xss_clean = FALSE)
    {
        return htmlspecialchars($this->_fetch_from_array($_POST, $index, $xss_clean), ENT_QUOTES, 'UTF-8');
    }
}

// End of file
[/quote]

I like this answer for some reason...
  • El Forum
    Guest
  •  
#18
10-05-2010, 07:11 PM

[eluser]ericrjones1[/eluser]
To selectively apply the HTML cleaning (see code). Otherwise, you wouldn't be able to save any sort of HTML data. But maybe not saving any HTML data is what you want. :blank:
Code:
&lt;?php (defined('BASEPATH')) OR exit('No direct script access allowed');

class MY_Input extends CI_Input
{
    /**
    * Fetch an item from the POST array
    *
    * @access    public
    * @param    string
    * @param    bool
    * @return    string
    */
    function post($index = '', $xss_clean = FALSE, $html_clean = FALSE)
    {
        if ($html_clean) {
            return htmlspecialchars($this->_fetch_from_array($_POST, $index, $xss_clean), ENT_QUOTES, 'UTF-8');
        }
        
        return $this->_fetch_from_array($_POST, $index, $xss_clean);
        
    }
}

// End of file




Theme © iAndrew 2016 - Forum software by © MyBB