CodeIgniter and XSS protection

#21
[eluser]kenjis[/eluser]
I requested a helper function for htmlspecialchars() in UserVoice.

http://codeigniter.uservoice.com/forums/...?ref=title

#22
[eluser]theshiftexchange[/eluser]
Reviving this thread - because it seems to be the best XSS thread I can find

In regards to XSS security, the consensus from a couple of places (like numerous posts on StackOverflow and OWASP) is to filter all user submitted data on OUTPUT for XSS attacks, not INPUT.

Currently Codeigniter filters INPUT for XSS cleaning.

Therefore - I was thinking 1 of 2 general ideas as a better solution for CI

1. Have MY_Model, which activates a _callback on all selected user data models that have user data entered (i.e. not my static tables, just the ones that contain user submitted data), and run htmlspecialchars() on all values returned automatically.

OR

2. Have the Template/View controller (or a hook) run all $data vars submitted to the view via htmlspecialchars()

Using one of the two choices above, you should automatically remove the chance of XSS attacks. The benefit of number 1 is you can turn off htmlspecialchars() for any special times you need to show the raw data, but the problem is this will also affect times when you want to work on the data, but dont neccessarily want to display it.

Number 2 ensures you can work on the data without issue, and only alters it when it is displayed - but you will also htmlspecialchars() other variables that might not be user submitted data.


Anyone have any thoughts on either of these approaches? Obviously they are going to be dependant on the speciific application you run, and your requirements, but can you see an issue with either?

#23
[eluser]theshiftexchange[/eluser]
Well - this is my global solution to XSS attacks. Firstly - I do not do ANY XSS cleaning on the inputs.

I run a hook on the _output - which cleans all my "view_data" (which is the variable I use to send data to the views).

I can toggle if I dont want the XSS Clean to run by inserting a "$view_data['clean_output'] = false" in my controller, which the hook checks:

Code:
if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))
   {
    // Apply to all in the list
    $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);
   }


In my case - I also have a "jquery_validation" string that must not be parsed, but the rest needs to be. My simple hack was:

Code:
// Firstly - check if we want to clean out output - do that first before doing anything else
   if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))
   {
    // Apply to all in the list
    // Except for jquery_validation - so copy that and reinsert
    $page_rules = $this->CI->view_data['jquery_validation'];
    $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);
    $this->CI->view_data['jquery_validation'] = $page_rules;
   }


Seems to be working well.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.