• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Global XSS filtering bypass

#1
[eluser]Anestetikas[/eluser]
Hi,
I use the global xss filtering for my codeigniter projects, but for one particular textarea I need to use rich text editor. So could somebody explain me how can I bypass global filtering for only one field.

I have found some topics on this subject, but all of those were suggesting to alter system files, witch is not what I want to do.

#2
[eluser]zechdc[/eluser]
Check out my post on stackoverflow: http://stackoverflow.com/questions/38997...9#11525519

I posted content below, but it won't be the most up-to-date. I like updating it better on stackoverflow.



The global XSS Filtering is only escaping (or converting) certain "dangerous" html tags like `<html>`

Simple Workaround:
====

1. Set `$config['global_xss_filtering'] = TRUE;`
2. Run your POST data through HTMLPurifier to remove any nasty `[removed]` tags or javascript.
- [HTMLPurifier Docs][1]
- [HTMLPurifier Codeigniter Integration][2]
2. On the page where you receive the forms `POST` data use `html_entity_decode()` to undo what XSS filtering did.

//by decoding first, we remove everything that XSS filter did
//then we encode all characters equally.
$content = html_entity_decode($this->input->post('template_content'))
2. Then immediately run it through htmlentities()

$content = htmlentities($content);


3. Store as a `Blob` in MySQL database
4. When you want to display the
information to the user for editing run `html_entity_decode()`

This is how I did it. If anyone knows of a major flaw in what I did, please tell me. It seems to be working fine for me. Haven't had any unexpected errors.


[1]: http://htmlpurifier.org/docs
[2]: https://github.com/refringe/codeigniter-htmlpurifier


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.