• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Codeigniter stripping script tags

#1
[eluser]alexbet[/eluser]
Hi All,

I am going crazy here, I can't find a solution to this. I have a CMS and a field where I need to allow my client to put any kind of HMTL code in it. For example, he would put a Google Ads code which contains <scr%ipt> tags to run javascript code. My problem is that those script tags get removed by xss_clean each time I submit and add the data for that field in the database.

I've tried practically everything to disable this. I disabled xss_clean in the config file, I've disable xss_clean in my script, I ran htmlspecialchars on the input, but nothing helps. The script tags still get removed no matter if xss_clean is running or not. I am now suspecting that something else is the matter and something else is stripping the script tags.

Please HELP!!!

Thanks!
Alex

#2
[eluser]Eric Barnes[/eluser]
Make sure you are using $this->input->post('field'); and not $this->input->post('field', TRUE); TRUE as a second argument runs it through xss_clean.

#3
[eluser]alexbet[/eluser]
Thanks Eric, I guess I was tired and didn't notice that.

Now, how do I exclude only one field from being run though xss_clean? I don't want to jeopardize the security of my whole application because I need one field to not be cleaned. I know that I can turn it off globally and then enable it for each controller, but I don't think that is a very good solution.

Any other way of excluding only one field?

#4
[eluser]Anuja[/eluser]
I am also facing the same problem.

Is there any solution for this?

#5
[eluser]InsiteFX[/eluser]
Did you read the post? Eric answered the question!

InsiteFX

#6
[eluser]Anuja[/eluser]
Hello InsiteFX,

I have read this post.
I want to provide the functionality to add / edit goggle analytic code form admin section.
But due to the xss clen some of the script tags gets removed and instead of them it gives '[removed]' word.
It will be work fine if we have disables the xss clean globally and $this->input->post(‘field’, FALSE);
But I don't want to disable xss_clean globally.

So I want answer for can we do it excluding only one field?

Currently I have done this task by replacing the '[removed]' word with original as in code.
But not sure that Google analytic code has same format for all. or it provides different each time.
Can you tell me for this also.

Thank You In Advance.

#7
[eluser]BrokenLegGuy[/eluser]
What Eric Barnes and InsiteFX are saying is you need to do something like....

Code:
$fields = array(0=> 'field1', 'field2', 'field3', 'field4', 'field5');
foreach($fields AS $k => $v)
{
    (($v == 'field2') OR ($v == 'field5')) ? $this->input->post($v) : $this->input->post($v, TRUE);
}

or

Code:
$this->input->post('field1', TRUE);
$this->input->post('field2');
$this->input->post('field3', TRUE);
$this->input->post('field4', TRUE);
$this->input->post('field5');

in order to do what you're looking for, XSS enabled on a per-field bases.

Ed

#8
[eluser]Anuja[/eluser]
Thank You for your help,

But if enable the Xss clean globally then it doesn't matter in the post statement, it is always consider as true.
Means if disable it in the post still it works as enable or set as true.

What I want is xss clean has to be set true globally and for only one field it has to be disable.

Is it possible?

#9
[eluser]Atharva[/eluser]
I am afraid that's not possible. You have to disable the global settings and use it wherever needed.

#10
[eluser]Anuja[/eluser]
Okay.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.