XSS clean...

[eluser]William Rufino[/eluser]
Hello everyone,

I'm doing some tests on my new software, and now I'm testing its security!

I'm using CI default XSS filter, and i found a XSS attack that is passing...

';alert(String.fromCharCode(88,83,83)//\';alert(String.fromCharCode(88,83,83)//";alert(String.fromCharCode(88,83,83)//\";alert(String.fromCharCode(88,83,83)//-->[removed]">'>[removed]alert(String.fromCharCode(88,83,83)[removed]

if we use that, it gets through ci xss clean, does anybody have an idea on how to fix that?

[eluser]Greg Aker[/eluser]
Hi William,

Can you please email me you test on how it gets past to [email protected] This way, the CodeIgniter team can have a look.

Thanks,

-greg

[eluser]William Rufino[/eluser]
Alright! im gonna send it.

although you can see what's happening here:
http://img94.imageshack.us/f/xsscodeigniter.png/

[eluser]Twisted1919[/eluser]
You are wrong, it is not passing the xss filter.

[eluser]William Rufino[/eluser]
But should it behave like that on the input ?

[eluser]Twisted1919[/eluser]
Well, believe it or not, it's kind of your fault that you see that.
The rule is as this:
When a user submits the form, you do a xss_clean on the $_POST, this will make sure that malicious data cannot pass (CI XSS filter is the best filter i ever worked with, better than this is only HTML Purifier).
Then if you have in mind to echo the values of the $_POST back to the user, you should htmlspecialchars( http://php.net/htmlspecialchars ) your output, this way you will avoid broken layout.

If i remember correctly, in CI's form validation helper, there is a set_value() function that will populate the input as it should, so doing a echo set_value('content') will check $_POST['content'] and clean it for output.
However, for $_GET there is nothing, so you better create a function for yourself and use it for both cases.

Another thing, if you don't allow html in the input field, using strip_tags is more effective than xss_clean, as it really strips every html tag so you won't get xss vectors injected and it is faster than xss_clean() method.

[eluser]William Rufino[/eluser]
I'm using CI input class..

Code:

<h1>Welcome to CodeIgniter!</h1>
&lt;form action="&lt;?php echo base_url() ?&gt;" method="get"&gt;
&lt;input type="text" name="var" value="&lt;?php echo $var ?&gt;" /&gt; <button type="submit">Submit</button>
&lt;/form&gt;
<p>&lt;?php echo $var ?&gt;</p>
<p><br />Page rendered in {elapsed_time} seconds</p>

Code:

public function index()
    {
        $data['var'] = $this->input->get('var',TRUE);
        $this->load->view('welcome_message',$data);
    }

And since I'm using UTF8 i don't think I'm supposed to use htmlentities, although i agree with you that it would do it..

[eluser]Twisted1919[/eluser]
[quote author="William Rufino" date="1303779040"]
And since I'm using UTF8 i don't think I'm supposed to use htmlentities[/quote]
I wouldn't rely on this

[eluser]InsiteFX[/eluser]
See string $charset? set it to UTF8! And as twisted stated you shoud use htmlspecialchars.

Code:

string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] )

InsiteFX

[eluser]kenjis[/eluser]
That's it. You don't need to use XSS clean.

Code:

<h1>Welcome to CodeIgniter!</h1>
&lt;form action="&lt;?php echo base_url() ?&gt;" method="get"&gt;
&lt;input type="text" name="var" value="&lt;?php echo htmlspecialchars($var, ENT_QUOTES, 'UTF-8') ?&gt;" /&gt; <button type="submit">Submit</button>
&lt;/form&gt;
<p>&lt;?php echo htmlspecialchars($var, ENT_QUOTES, 'UTF-8') ?&gt;</p>
<p><br />Page rendered in {elapsed_time} seconds</p>