XSS Filter messing with MD5 values

[eluser]jaydisc[/eluser]
I decided that it would be wiser to turn on the global_xss_filtering, but unfortunately, about 1% of my users had password mismatch issues. I tracked it down to the fact that some md5's were being generated differently when the XSS filter was on.

Here is my test controller code:

Code:

function testing()
{
  $data['version'] = CI_VERSION;
  $data['testing'] = $this->input->post('testing');
  $data['testing_xss'] = $this->input->post('testing', TRUE);
  $data['md5_testing'] = md5($this->input->post('testing'));
  $data['md5_testing_xss'] = md5($this->input->post('testing', TRUE));
  $this->load->view('testing', $data);
}

And here is my test view code:

Code:

<?php
echo form_open('welcome/testing');
echo '<p>' . $version . '</p>';
echo 'Testing: ' . form_input('testing', set_value('testing'));
echo form_submit('submit','Submit');
echo form_close();

if ($testing)
{
echo "Testing: " . $testing . '<br>';
echo "Testing XSS: " . $testing_xss . '<br>';
echo "MD5 Testing: " . $md5_testing . '<br>';
echo "MD5 Testing XSS: " . $md5_testing_xss . '<br>';
}
?&gt;

One of the combinations that seems to cause the issue is if the value has "&sq;" in it. For example here is the output of a page with that value submitted:

1.7.2

Testing:
Testing: &sq;
Testing XSS: &sq;
MD5 Testing: af6c44d3d1bb087f014d1bcb5916f6a4
MD5 Testing XSS: 3247fc1749af230a49e4d19cda68c6fa

Now, if I run &sq; through md5 in my command line, I get the value that matches when the XSS filter is off: af6c44d3d1bb087f014d1bcb5916f6a4

Is this a bug? What exactly is the XSS filter turning my text into that md5() is generating a different hash for it?

[eluser]skunkbad[/eluser]
It's probably turning the ampersand in "&sq;" into

Code:

&

, so it's probably looking like this

Code:

&sq;

. Check your source and see.

Global XSS filtering is a waste of resources. xss_clean is a pretty heavy function, and it will get called everytime you post. Even values that are already being validated as int, float, etc will get passed through xss_clean. You don't need that.

[eluser]jaydisc[/eluser]
Weirdly, it's turning "&sq;" into "&sq;". Here is the output wrapped in <pre>:

Testing:
Testing: &sq;
Testing XSS: &sq;
MD5 Testing: af6c44d3d1bb087f014d1bcb5916f6a4
MD5 Testing XSS: 3247fc1749af230a49e4d19cda68c6fa

So, if I don't use global filtering, in what situations should I apply filtering?

UPDATE:

Actually, it looks like the forum here is applying the filter and mangling the code (even my original post got mangled). Basically, I'm not entering a semi-colon after the sq, but the XSS filter is adding one. Here is an image of what it actually looks like:http://cl.ly/K1GK. Is that a bug?

[eluser]Aken[/eluser]
I would advise not running XSS filtering on passwords. Passwords should be exactly what the user enters. And as long as you are changing its value (MD5 in your case) before saving it to the database, you shouldn't need to worry about any SQL injection.

I would advise using a much better password hashing solution, though. MD5 is not secure. Use it to test and learn, but for production websites, you should find better (such as PHPass / bcrypt / blowfish).

The new semicolon could be a bug, though. Maybe a regular expression that is not specific enough. If you know how to create an issue on Github, you should mention this on the CodeIgniter Github repo so it receives more attention.

Also, if the 1.7.2 in your quote is the version of CodeIgniter you're using, upgrading to the latest stable release is definitely encouraged.

[eluser]jaydisc[/eluser]
I've upgraded to 1.7.3 and this (bug?) still occurs. My personal code and app issues have been resolved, so my only remaining goal is notifying the powers that be. I'm not familiar with use of Github.

[eluser]Aken[/eluser]
1.7.3 is a non-supported old version of CI. You should upgrade to the newest version if you can. Or, as I recommended, avoid using xss_clean on the password field in the first place.

[eluser]jaydisc[/eluser]
I think we're having a slight disconnect here. I don't need help with my app (but I thank you). Rather, I'm just offering up the possibility that this might be a bug, which I thought this section of the forums was for? If no one cares about bugs in 1.7.3, please ignore this. If someone does care, and/or has access to and wants to see if this bug exists in the current version, I've presented a simple test for doing so.