GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR

[eluser]osci[/eluser]

Code:

style="background-image(http://sucks.com/any.png)"

and any.png is a malicious controller
could that be harmful?

[eluser]Sudz[/eluser]
hey guys i want to implement ckeditor in codeigniter 2.0.2
how can i do that.
please help me.

[eluser]hyperfire[/eluser]
Is this really a CI 2.02 bug? Just lost a whole hour trying to figure out what's wrong with the ckeditor aligment.
Disabling global XSS on config worked.
Is there a way to disable global for this specific field? Or any other workaround available?

Btw, Sudhakar@CI, implement ckeditor on CI is a breeze. Have you checked the forum?
http://ellislab.com/forums/viewthread/127374/
Or even CI wiki?

Can anyone share some toughts on this issue? I need to save html on this project. Disabling styles on POST is the reason why my client clients are goin bananas and disable global XSS is not an option as well.

Thanks.


Just checked another post (http://ellislab.com/forums/viewthread/191399/#903478) where bubbafoley suggested:

Code:

$config['global_xss_filtering'] = TRUE;

and then

Code:

$username = $this->input->post('username'); // filtered
$password = $this->input->post('password', FALSE); // unfiltered

But this does not work. Anyone?

[eluser]xarazar[/eluser]
Hi hyperfire,
Not really a bug but the CI guys decided that the style attribute is "evil". Perhaps it is, I'm not aware of it causing security issues, but it doesn't seem like there is a way to remove it from the list of evil attributes other than modifying one of the core functions (outlined above). I simply removed it from the evil attribute lists and everything works. Has to do until a fix is available. Would be nice to a configurable evil attribute list.

[eluser]hyperfire[/eluser]
Well, as I had to move on, I have decided to disable the global xss filtering (a real PITA because all forms had to be updated, etc) and to implement the html purifier (with a gentle help of the html purifier CI lib http://codeigniter.com/wiki/htmlpurifier/) for the fields with ckeditor enabled. I feel safe now. (sort of, lol)

[eluser]P.T.[/eluser]
We turned off the XSS filtering in the config file and extended the Input class. We turned on XSS filtering as default for every function in our MY_Input. So as long as we don't sent a "FALSE" as second parameter in functions like $this->input->post(), the field is XSS filtered.

We also extended the Securty class with our own MY_Security. When a FALSE is sent to $this->input->post(), the field gets still XSS cleaned, but only then with less options. The style tag for example ain't filtered.

This way our regular fields are filtered the normal way and our CKEditor fields are filtered, but not as thoroughly as the regular fields. Seems to work quiet okay this way

[eluser]ducuytran[/eluser]
In Security.php
"style" is considered an evil attribute (line 581). So, if you want to turn global xss filter on and using WYSIWYG editor, you know what to do.

I mean, inherit and customize.

[eluser]Lawrence Leung[/eluser]
[quote author="hyperfire" date="1311326089"]Is this really a CI 2.02 bug? Just lost a whole hour trying to figure out what's wrong with the ckeditor aligment.
Disabling global XSS on config worked.
Is there a way to disable global for this specific field? Or any other workaround available?

Btw, Sudhakar@CI, implement ckeditor on CI is a breeze. Have you checked the forum?
http://ellislab.com/forums/viewthread/127374/
Or even CI wiki?

Can anyone share some toughts on this issue? I need to save html on this project. Disabling styles on POST is the reason why my client clients are goin bananas and disable global XSS is not an option as well.

Thanks.


Just checked another post (http://ellislab.com/forums/viewthread/191399/#903478) where bubbafoley suggested:

Code:

$config['global_xss_filtering'] = TRUE;

and then

Code:

$username = $this->input->post('username'); // filtered
$password = $this->input->post('password', FALSE); // unfiltered

But this does not work. Anyone?[/quote]

Yes, that doesn't work (I think it should be work, otherwise the False parameter is useless). So I simply remove the 'style' in system/core/security/_remove_evil_attributes

[eluser]nikes[/eluser]
please help me.

[eluser]P.T.[/eluser]
When you set global_xss_filtering on TRUE, it will filter all post variables already at the start of the application. Before you even had the chance to call $this->input->post(). So sending a TRUE or FALSE in this post method has no use as long as you keep the global_xss_filtering on TRUE:

You can always check my solution:
http://ellislab.com/forums/viewthread/186100/#919438