Welcome Guest, Not a member yet? Register   Sign In
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR
#21

[eluser]nikes[/eluser]
I’ve obtained identical problem, any fix for this?
#22

[eluser]Unknown[/eluser]
solution to this, let

Code:
$ config ['global_xss_filtering'] = FALSE;

and inputs that need to be safe place like this:

Code:
$ password = $ this-> input-> post ('password', TRUE); / / Filtered
#23

[eluser]alanees[/eluser]
Hello :-)

i found solution

in file system/core/secutriy.php

at line 606
Code:
$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
clean 'style', >>> be :
Code:
$evil_attributes = array('on\w*', 'xmlns', 'formaction');

and at line 426
Code:
$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
clean style| >>> be
Code:
$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|script|textarea|title|video|xml|xss';

Regads
Smile
#24

[eluser]Gilles_T[/eluser]
Hi everyone,

What are officials and Gurus of CI thinking of Alanees solution (not on the method but on the identification of the problem)?
I currently making the big jump from 1.7.3 to 2.1.2 for my sites. Everything (as far as I can see) seemed to be OK until I found that all styles out-coming from the online editor were gone. I did not at all like to remove the XSS filtering because of scripting risks. To my knowledge the "Style" seems quite innocent from the real security stand point (although it might generate badly formatted pages).

I would tend for this solution in spite of requiring a change in the core.

If this solution turns out to be satisfactory, could there be a "change_xss_naughty" function to enable the choice in the config.com?

Thank you for your precious advices, Cheers
#25

[eluser]C4iO [PyroDEV][/eluser]
Found myself with this issue on a recent project and started a quest to find the solution.

Although the accepted answer from this Stackoverflow post is old, it turned out as a good starting point towards understanding why CI staff could have chosen to include style in evil attributes list.

I like to set global_xss_filtering to TRUE on my projects even if it's not a real hacker-proof measure.

So, why am I still trying to use it? Simple, it appears to me that it makes more difficult to an attack be successfull. Ok! I have to admit, setting that option to TRUE, also brings difficulties to my life also.

My point is that since I need to allow style attribute because I'm using an WYSIWYG editor (CKEditor, but tried with TinyMCE), it seems to be reasonable removing style from the evil attributes list, but I'll try to do that at applications/core folder and modify just _remove_evil_attributes method as follows:

In a file called MY_Security located at applications/core, I'll put no more than the following code:
Code:
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

/**
* Security Class
*
*/
class MY_Security extends CI_Security {

/*
  * Remove Evil HTML Attributes (like evenhandlers and style)
  *
  * It removes the evil attribute and either:
  *  - Everything up until a space
  *  For example, everything between the pipes:
  *  <a >
  *  - Everything inside the quotes
  *  For example, everything between the pipes:
  *  <a  alert('world');" class="link">
  *
  * @param string $str The string to check
  * @param boolean $is_image TRUE if this is an image
  * @return string The string with the evil attributes removed
  */
protected function _remove_evil_attributes($str, $is_image)
{
  // All javascript event handlers (e.g. onload, onclick, onmouseover) and xmlns
  // removed STYLE attribute to allow it's use by WYSIWYG editors
  $evil_attributes = array('on\w*', 'xmlns', 'formaction');

  if ($is_image === TRUE)
  {
   /*
    * Adobe Photoshop puts XML metadata into JFIF images,
    * including namespacing, so we have to allow this for images.
    */
   unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
  }

  do {
   $count = 0;
   $attribs = array();

   // find occurrences of illegal attribute strings without quotes
   preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);

   foreach ($matches as $attr)
   {

    $attribs[] = preg_quote($attr[0], '/');
   }

   // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
   preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is",  $str, $matches, PREG_SET_ORDER);

   foreach ($matches as $attr)
   {
    $attribs[] = preg_quote($attr[0], '/');
   }

   // replace illegal attribute strings that are inside an html tag
   if (count($attribs) > 0)
   {
    $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count);
   }

  } while ($count);

  return $str;
}
}

Please note that I just removed style attribute from $evil_attributes variable and changed the comment accordingly.

I know that's the best solution, but solves the issue until I find something better.




Theme © iAndrew 2016 - Forum software by © MyBB