Welcome Guest, Not a member yet? Register   Sign In
HTML code in a textarea
#1

[eluser]Salvador P.[/eluser]
Hello

I've been trying to deal with this problem for a while, but I can't! hehehe

I've got a form with a textarea, this text area must contain html code, like
Code:
<div  text-align: right;">
some text
<td  20px;">
  <p  Arial, Helvetica, sans-serif; font-size: 8px; line-height: 10px; color: #500; text-align:right;">
  more text
....

At this point there is no problem, just a form with a text-area, where the user puts that code, ( the user knows what he or she is typing, won't type something incorrect )

When the form is submitted I get this values (using var_dump($this->input->post()); ) at the beginning of the function which gets the form data:

Code:
<div  text-align: right;">
some text
<td padding: 20px;">
  <p font-family: Arial, Helvetica, sans-serif; font-size: 8px; line-height: 10px; color: #500; text-align:right;">
  more text
....

All the style=" tags/words are gone!!

I don't know why this is happening, something is escaping that words/tags but are required because we are using that html input in other views so we need to get that html raw input.

I have tried several things:
- XSS filtering disabled and enabled and same results.
- Tried to modify system/core/input post function and showed the data before it processes it and showed the same results, style=" tags gone.
- Different browsers
- Other things I don't remember...

Somebody knows what is happening?

Thanks!

EDIT: When I submitted this post, happened exactly the same thing!! All style tags are gone!

#2

[eluser]Aken[/eluser]
Do you have global XSS filtering enabled in your config file?
#3

[eluser]Salvador P.[/eluser]
Yes it's enabled.
#4

[eluser]Unknown[/eluser]
What about native php array $_POST ? and try to disable most of security options.
#5

[eluser]Salvador P.[/eluser]
Thanks for your replies Aken and freeman204!

Tried with $_POST and same result if the XSS_Filtering is enabled.

Now I have tried with XSS_filtering disabled, and cleared all caches, and there they are!! We've got back the style tags!

So XSS_filtering is getting rid of the style tags... but we need the XSS_filtering enabled.

Searching for a solution got this:
We can use $this->input->post('some_name', TRUE); to enable XSS_filtering in each field of the form, with the global xss filtering disabled.

After some tests:
With config.php $config['global_xss_filtering'] = TRUE;
Code:
$this->input->post('some_name');
$this->input->post('some_name', FALSE);
Throw the same result, style tags gone.

With config.php $config['global_xss_filtering'] = FALSE;
Code:
$this->input->post('some_name', TRUE); // Wrong result
$this->input->post('some_name'); //Good result

Got the right result, with global xss filtering false.

----

We need the $config['global_xss_filtering'] = TRUE; for security reasons.

There is a way we can disable global_xss_filtering only for that controller? So we can get the correct input from the textarea, and keep the xss filtering in all the application.

Thanks!



#6

[eluser]Salvador P.[/eluser]
Tried to put this at the beginning of the function which gets the textarea data, and at the constructor of the controller:
The config.php has global_xss_filtering to TRUE.

Code:
$this->config->set_item('global_xss_filtering', FALSE);

And doesn't work, the inputs are escaped Sad and the style=" tags gone.

EDIT.
Some moderator or admin, can change the title of the post to:
HTML code in a textarea (XSS filtering escapes inline tags like style = " )

The forum doesn't let me change the title of the post.

Thanks!
#7

[eluser]rana[/eluser]
You may extend the existing xss filters and modify in such a way so that it accepts the style attribute.

[quote author="Salvador P." date="1360574152"]Thanks for your replies Aken and freeman204!

Tried with $_POST and same result if the XSS_Filtering is enabled.

Now I have tried with XSS_filtering disabled, and cleared all caches, and there they are!! We've got back the style tags!

So XSS_filtering is getting rid of the style tags... but we need the XSS_filtering enabled.

Searching for a solution got this:
We can use $this->input->post('some_name', TRUE); to enable XSS_filtering in each field of the form, with the global xss filtering disabled.

After some tests:
With config.php $config['global_xss_filtering'] = TRUE;
Code:
$this->input->post('some_name');
$this->input->post('some_name', FALSE);
Throw the same result, style tags gone.

With config.php $config['global_xss_filtering'] = FALSE;
Code:
$this->input->post('some_name', TRUE); // Wrong result
$this->input->post('some_name'); //Good result

Got the right result, with global xss filtering false.

----

We need the $config['global_xss_filtering'] = TRUE; for security reasons.

There is a way we can disable global_xss_filtering only for that controller? So we can get the correct input from the textarea, and keep the xss filtering in all the application.

Thanks!



[/quote]
#8

[eluser]Salvador P.[/eluser]
Didn't think about that, I'll take a look at it.

Thanks rana!
#9

[eluser]Salvador P.[/eluser]
Got it!

Solved the problem this way.

Extended Security library in:

application/core/MY_Security.php

Copied the function _remove_evil_attributes and modified it to satisfy our requirements.

Thanks all for your help!




Theme © iAndrew 2016 - Forum software by © MyBB