XSS clean... |
[eluser]William Rufino[/eluser]
Hello everyone, I'm doing some tests on my new software, and now I'm testing its security! I'm using CI default XSS filter, and i found a XSS attack that is passing... ';alert(String.fromCharCode(88,83,83)//\';alert(String.fromCharCode(88,83,83)//";alert(String.fromCharCode(88,83,83)//\";alert(String.fromCharCode(88,83,83)//-->[removed]">'>[removed]alert(String.fromCharCode(88,83,83)[removed] if we use that, it gets through ci xss clean, does anybody have an idea on how to fix that?
[eluser]Greg Aker[/eluser]
Hi William, Can you please email me you test on how it gets past to [email protected] This way, the CodeIgniter team can have a look. Thanks, -greg
[eluser]William Rufino[/eluser]
Alright! im gonna send it. although you can see what's happening here: http://img94.imageshack.us/f/xsscodeigniter.png/
[eluser]Twisted1919[/eluser]
You are wrong, it is not passing the xss filter.
[eluser]William Rufino[/eluser]
But should it behave like that on the input ?
[eluser]Twisted1919[/eluser]
Well, believe it or not, it's kind of your fault that you see that. The rule is as this: When a user submits the form, you do a xss_clean on the $_POST, this will make sure that malicious data cannot pass (CI XSS filter is the best filter i ever worked with, better than this is only HTML Purifier). Then if you have in mind to echo the values of the $_POST back to the user, you should htmlspecialchars( http://php.net/htmlspecialchars ) your output, this way you will avoid broken layout. If i remember correctly, in CI's form validation helper, there is a set_value() function that will populate the input as it should, so doing a echo set_value('content') will check $_POST['content'] and clean it for output. However, for $_GET there is nothing, so you better create a function for yourself and use it for both cases. Another thing, if you don't allow html in the input field, using strip_tags is more effective than xss_clean, as it really strips every html tag so you won't get xss vectors injected and it is faster than xss_clean() method.
[eluser]William Rufino[/eluser]
I'm using CI input class.. Code: <h1>Welcome to CodeIgniter!</h1> Code: public function index() And since I'm using UTF8 i don't think I'm supposed to use htmlentities, although i agree with you that it would do it..
[eluser]Twisted1919[/eluser]
[quote author="William Rufino" date="1303779040"] And since I'm using UTF8 i don't think I'm supposed to use htmlentities[/quote] I wouldn't rely on this
[eluser]InsiteFX[/eluser]
See string $charset? set it to UTF8! And as twisted stated you shoud use htmlspecialchars. Code: string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] ) InsiteFX
[eluser]kenjis[/eluser]
That's it. You don't need to use XSS clean. Code: <h1>Welcome to CodeIgniter!</h1> |
Welcome Guest, Not a member yet? Register Sign In |