Codeigniter global_xss_filtering
In my codeigniter config I have $config[\'global_xss_filtering\'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content.
E
-
My case was that I wanted global_xss_filtering to be on by default but sometimes I needed the $_POST (pst you can do this to any global php array e.g. $_GET...) data to be raw as send from the browser, so my solution was to:
- open index.php in root folder of the project
- added the following line of code $unsanitized_post = $_POST; after $application_folder = 'application'; (line #92)
then whenever I needed the raw $_POST I would do the following:
global $unsanitized_post;
print_r($unsanitized_post);
讨论(0) -
The global XSS Filtering is only escaping (or converting) certain "dangerous" html tags like
<html>Simple Workaround:
- Set
$config['global_xss_filtering'] = TRUE; - Run your POST data through HTMLPurifier to remove any nasty
<script>tags or javascript.- HTMLPurifier Docs
- HTMLPurifier Codeigniter Integration
On the page where you receive the forms
POSTdata usehtml_entity_decode()to undo what XSS filtering did.//by decoding first, we remove everything that XSS filter did //then we encode all characters equally. $content = html_entity_decode($this->input->post('template_content'))Then immediately run it through htmlentities()
$content = htmlentities($content);Store as a
Blobin MySQL database- When you want to display the
information to the user for editing run
html_entity_decode()
This is how I did it. If anyone knows of a major flaw in what I did, please tell me. It seems to be working fine for me. Haven't had any unexpected errors.
讨论(0) - Set
-
Simple do the following on the views when displaying embedded object code like from YouTube and etc:
echo str_replace(array('<', '>'), array('<', '>'), $embed_filed);讨论(0) -
Turn it off by default then enable it for places that really need it.
For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.
One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.
http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php
It's one hell of a long way around, but it works.
Perhaps we could create a config option could be created listing the bad elements for 2.0?
讨论(0) -
In CodeIgniter 2.0 the best thing to do is to override the xss_clean on the core CI library, using MY_Security.php put this on application/core folder then using /application/config.php
$config['xss_exclude_uris'] = array('controller/method');here's the MY_Security.php https://gist.github.com/slick2/39f54a5310e29c5a8387:
<?php /** * CodeIgniter version 2 * Note: Put this on your application/core folder */ class MY_Security extends CI_Security { /** * Method: __construct(); * magic */ function __construct() { parent::__construct(); } function xss_clean($str, $is_image = FALSE) { $bypass = FALSE; /** * By pass controllers set in /application/config/config.php * config.php * $config['xss_exclude_uris'] = array('controller/method') */ $config = new CI_Config; $uri = new CI_URI; $uri->_fetch_uri_string(); $uri->_explode_segments(); $controllers_list = $config->item('xss_exclude_uris'); // we need controller class and method only if (!empty($controllers_list)) { $segments = array(0 => NULL, 1 => NULL); $segments = $uri->segment_array(); if (!empty($segments)) { if (!empty($segments[1])) { $action = $segments[0] . '/' . $segments[1]; } else { $action = $segments[0]; } if (in_array($action, $controllers_list)) { $bypass = TRUE; } } // we unset the variable unset($config); unset($uri); } if ($bypass) { return $str; } else { return parent::xss_clean($str, $is_image); } } }讨论(0)
加载中...
- 热议问题