• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
XSS_Clean on Template Parser?

#1
Question 
Hello,

I have a few questions regarding XSS Cleaning in CI:

1. I noticed that the template parser does not xss_clean the output, is there any specific reason for that? I know we should manually clean all outputs, but I was hoping for some kind of protection against forgetting a single output by mistake. if template parser had it, that would be awesome.

If this is just developers not having the time, is it okay if I add it myself by extending CI_Parser? or there is a good reason not to do this?


2. If we want an output to be xss_cleaned but also don't want html tags to be processed we should do this right?


PHP Code:
echo html_escape(xss_clean($var)) 

I do it to prevent name's to be something like <h1>anything</h1> and break the design. cannot validate names to be alphabets because the website is multilingual (or maybe I should validate by checking if user input has html special chars? not sure if that will prevent every possible attack).


3. I know the reason they removed global_xss_filtering but If we really don't need to output any html and we manually prevent xss_clean on passwords ( $this->input->post('password', FALSE) ), is it still really bad to use it? I mean isn't it better than forgetting to clean even a single output in the entire project that would ruin everything.


I'm just trying to learn more and need an expert's advice on these, hope you guys will help.


Reply

#2
Hmm - interesting idea. The template parser is not hugely popular, but I use it extensively, and have taken on the parser for CI4.
I will look into the code, and it could very well be appropriate to add at least optional xss_clean :/-

Thanks for the feedback!
Reply

#3
To be clear, I don't know when or why xss_clean was removed from the template parser or if it was ever there; I am not expert enough (from a security perspective) to address if it should be there or not, but I can see it *optionally* helpful.

One of my uses for the template parser is to inject XML/HTML from a database into a view, and forcing xss_clean would seem counter-intuitive to that.

CI4's View & Parser classes support optional escaping of view parameter values, which might serve the same intent as your question.

I don't see other responses to this thread, nor other community members bringing up the issue, so am not sure how much interest there would be in such an enhancement.

You asked about extending CI_Parser... that can always be done (core/MY_Parser). However, you are welcome to submit a PR to our github repo, with that proposed change to the parser Smile That could be a better way to get the community to chime in!
Reply

#4
(11-28-2016, 04:07 PM)ciadmin Wrote: To be clear, I don't know when or why xss_clean was removed from the template parser or if it was ever there; I am not expert enough (from a security perspective) to address if it should be there or not, but I can see it *optionally* helpful.

One of my uses for the template parser is to inject XML/HTML from a database into a view, and forcing xss_clean would seem counter-intuitive to that.

CI4's View & Parser classes support optional escaping of view parameter values, which might serve the same intent as your question.

I don't see other responses to this thread, nor other community members bringing up the issue, so am not sure how much interest there would be in such an enhancement.

You asked about extending CI_Parser... that can always be done (core/MY_Parser). However, you are welcome to submit a PR to our github repo, with that proposed change to the parser Smile That could be a better way to get the community to chime in!

Thank you Sir,
You enlightened my path.

So basically there is no harm in auto-cleaning there if we want it, I will do my best to do it in clean way and submit it to github.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.