CodeIgniter - why use xss_clean
xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent XSS. Such as looking for the word alert
but not document.cookie
. No hacker is going to use alert
in their exploit, they are going to hijack the cookie with XSS or read a CSRF token to make an XHR.
However running htmlentities()
or htmlspecialchars()
with it is redundant. A case where xss_clean()
fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8')
fails is the following:
<?php
print "<img src='$var'>";
?>
A simple poc is:
http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)
This will add the onload=
event handler to the image tag. A method of stopping this form of XSS is htmlspecialchars($var,ENT_QUOTES);
or in this case xss_clean()
will also prevent this.
However, quoting from the xss_clean() documentation:
Nothing is ever 100% foolproof, of
course, but I haven't been able to get
anything passed the filter.
That being said, XSS is an output problem
not an input problem
. For instance, this function cannot take into account that the variable is already within a <script>
tag or event handler. It also doesn't stop DOM Based XSS. You need to take into consideration how you are using the data in order to use the best function. Filtering all data on input is a bad practice. Not only is it insecure but it also corrupts data which can make comparisons difficult.
xss_clean in Codeigniter 2 work fine but in Codeigniter 4 doesn't?
There is no xss_clean
function for CI4 because that is the wrong way to prevent XSS. here is the official reply
XSS_clean should be conspired deprecated. That's a not a recommended
practice to rely on. You should filter your inputs AND escape your
outputs.Input:
https://codeigniter4.github.io/userguide/libraries/validation.html
https://codeigniter4.github.io/userguide/incoming/incomingrequest.html#retrieving-input
"Filtering Input Data"Output:
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-data
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-contexts
XSS_CLEAN doesn't work in CodeIgniter
The xss_clean()
function does not remove all HTML, it removes/replaces specific things that are considered dangerous, like <script>
tags.
http://codeigniter.com/user_guide/libraries/security.html
The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.
Someone injecting a <p>
tag into your page, while maybe not desired, is not really an effective attack. You'll have to specify what you want to do with it. In many cases, you will want HTML output that has been xss_clean()
ed.
It sounds like you want either htmlspecialchars()
or strip_tags()
(note: these two very different things). If you want to encode the HTML, you can also use CI's html_escape()
:
echo html_escape($this->input->post('question'));
If you want HTML output and not entities, just use the XSS filter by itself:
echo $this->input->post('question', TRUE);
echo xss_clean($user_input);
Codeigniter safe queries and xss clean
I guess all insert or update data come from a form, if you go to application/config/config.php and set
$config['csrf_protection'] = FASLE;
to
$config['csrf_protection'] = TRUE;
this helpyou to filter all inputs (xss_clean)
How to remove xss_clean in CI3
xss_clean is used mainly with CI's form validation library. As stated in the comments, the best way to get rid of this error (if you don't need the features of xss_clean) would be to remove all instances of xss_clean from your validation rules.
Example of where you could find xss_clean in your app:
$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');
codeigniter form validation documentation
CodeIgniter xss_clean issue with large amount of html [in firefox]
Solved.
I went to Ellislab support and they told me that the function is no longer in use.
https://support.ellislab.com/bugs/detail/20646/the-e-modifier-is-deprecated-use-preg_replace_callback-instead
I copy the new core/Security.php
and paste on mine and it's now working.
Related Topics
Reordering Checkout Fields in Woocommerce 3
Alter Table in Magento Setup Script Without Using SQL
PHP Create and Save a Txt File to Root Directory
Which Mime Type Should I Use for Mp3
How to Include Authorization Header in Curl Post Http Request in PHP
Send PHP HTML Mail with Attachments
Can Someone Explain the /E Regex Modifier
Can't Concatenate 2 Arrays in PHP
PHP Inserting Multiple Checkbox and Textbox Arrays into MySQL Database
How to Throttle My Site's API Users
Setup Http Expires Headers Using PHP and Apache