• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Using xss_clean() for displaying content from WYSIWYG editor

#1
Hi friends,

I have a web application that accepts comments using a WYSIWYG editor (having basic formatting like bold, italics, heading, lists, etc).

I am trying to allow users to also enter manually typed html like:
Quote:<b>This is manually typed content</b>
This is formatted content

Here the 1st line is html that's manually typed by user, and second line is text formatted using the wysiwyg editor.

This input then gets stored in my database as (with html entities encoded):
Quote:&lt;b&gt;This is manually typed content&lt;/b&gt;
<b>This is formatted content</b>

Now before displaying when I run this through "$this->security->xss_clean()", the output of xss_clean() is:
Quote:<b>This is manually typed html</b>
<b>This is formatted content</b>

So on echoing this in browser both lines come out as bold text, whereas I want only the formatted text to be treated as html.

Another issue is that xss_clean() url-decodes the text passed to it, so in some cases the text having "%" with some trailing alphabets get converted to a special character. 

I understand a lot of stuff that xss_clean() does is for security reasons and my app has never suffered any xss attacks until now thanks to it. But I would like an alternative that would preserve html entities & not url decode text while filtering for XSS.

So my question is, are there any good alternatives to xss_clean() which someone is using that can solve these 2 issues while also doing xss filtering?
I am aware of HTML purifier, but would like to know if there are any other good alternatives.


P.S. I am aware that the % sign issue has been reported on CI's github issues & is marked closed, because removing it is a security concern : https://github.com/bcit-ci/CodeIgniter/issues/5125
Haven't found anything else related in CI's Github issues, and searching "xss_clean" retrieves a lot of results on this forum. I went through a few pages but couldn't find something relevant. So forgive me for not being able to find  a topic where this has been discussed before.
Thanks!
Reply

#2
I guess that's why using meta-tags like [b] on forums is so popular - you can convert all < and > characters to &lt; / &gt; to avoid any script execution, then replace all meta-tags with actual HTML tags. Or Markdown is quite popular as well, but both use their own syntax, THEN convert to HTML.

I guess if it's stored in DB correctly, and it is xss_clean that replaced &lt; with < - you could replace &lt; with -my-random-less-than-replacement- before xss_clean, then revert it back. Quite ugly solution, but could get you going.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2018 MyBB Group.