protected function _remove_evil_attributes

This function makes storing html in the database from a wysiwyg editor practically impossible. I'm just learning but was wondering if there is a workaround for this? Is the idea to make flat files and store a link to them in the db? What are the implications of allowing certain html tags through? If I remove the 'style' from this the wysiwyg works fine. I've been reading the docs and researching but I'm just not finding much in the way of answers. Can someone point to an answer or discussion on the matter so I can make more informed choices.

It's simple - don't use it.

add this in your project under /src/your_application_name/MY_Security.php
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
class MY_Security extends CI_Security {
function __construct()
{
parent::__construct();
}

// --------------------------------------------------------------------

/*
* Modified for cb_cms
*/
protected function _remove_evil_attributes($str, $is_image)
{
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$allowed = array("put your Uris e.g '/articles/add'");
if(in_array($_SERVER['REQUEST_URI'],$allowed)){
$evil_attributes = array('on\w*', 'xmlns');
}else{
$evil_attributes = array('on\w*', 'style', 'xmlns');
}

if ($is_image === TRUE)
{
/*
* Adobe Photoshop puts XML metadata into JFIF images,
* including namespacing, so we have to allow this for images.
*/
unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
}

do {
$str = preg_replace(
"#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i",
"<$1$6",
$str, -1, $count
);
} while ($count);

return $str;
}


}

?>

add this in your project under /src/your_application_name/MY_Security.php
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
class MY_Security extends CI_Security {
   function __construct()
   {
     parent::__construct();
}

// --------------------------------------------------------------------

/*
* Modified for cb_cms
*/
protected function _remove_evil_attributes($str, $is_image)
{
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$allowed = array("put your Uris e.g '/articles/add'");
if(in_array($_SERVER['REQUEST_URI'],$allowed)){
$evil_attributes = array('on\w*', 'xmlns');
}else{
$evil_attributes = array('on\w*', 'style', 'xmlns');
}

if ($is_image === TRUE)
{
/*
* Adobe Photoshop puts XML metadata into JFIF images,
* including namespacing, so we have to allow this for images.
*/
unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
}

do {
$str = preg_replace(
"#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i",
"<$1$6",
$str, -1, $count
);
} while ($count);

return $str;
}


}

?>

Thank you, I will look this code over. I appreciate your input.

I'd advise you not to use that snippet.

I haven't used it however your answer really didn't help my situation much. I'm looking for a work around. I'm storing html in the database for a content management system through tinymce. Wordpress has this functionality so I would image there is some safe way to accomplish this.

Thinking about rewriting the security as a module.

At best, Wordpress should be a cautionary tale in the difficulties of accomplishing something like this safely. Rather than overriding the method in CI's Security class, you should handle the filtering for your textarea in your model or controller, using the Security class' methods to help where they can.

The first thing that comes to mind, though, is the following question: why does removing 'style' from the list make this work for you? In general, even when not used with bad intent, the use of the style attribute stinks of bad coding practices.

Bonfire

Practical CodeIgniter 3
CodeIgniter Testing Guide