Codeigniter - Why Use Xss_Clean

CodeIgniter - why use xss_clean

xss_clean() is extensive, and also silly. 90% of this function does nothing to prevent XSS. Such as looking for the word alert but not document.cookie. No hacker is going to use alert in their exploit, they are going to hijack the cookie with XSS or read a CSRF token to make an XHR.

However running htmlentities() or htmlspecialchars() with it is redundant. A case where xss_clean() fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8') fails is the following:

<?php
print "<img src='$var'>";
?>

A simple poc is:

http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)

This will add the onload= event handler to the image tag. A method of stopping this form of XSS is htmlspecialchars($var,ENT_QUOTES); or in this case xss_clean() will also prevent this.

However, quoting from the xss_clean() documentation:

Nothing is ever 100% foolproof, of
course, but I haven't been able to get
anything passed the filter.

That being said, XSS is an output problem not an input problem. For instance, this function cannot take into account that the variable is already within a <script> tag or event handler. It also doesn't stop DOM Based XSS. You need to take into consideration how you are using the data in order to use the best function. Filtering all data on input is a bad practice. Not only is it insecure but it also corrupts data which can make comparisons difficult.

xss_clean in Codeigniter 2 work fine but in Codeigniter 4 doesn't?

There is no xss_clean function for CI4 because that is the wrong way to prevent XSS. here is the official reply

XSS_clean should be conspired deprecated. That's a not a recommended
practice to rely on. You should filter your inputs AND escape your
outputs.

Input:
https://codeigniter4.github.io/userguide/libraries/validation.html
https://codeigniter4.github.io/userguide/incoming/incomingrequest.html#retrieving-input
"Filtering Input Data"

Output:
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-data
https://codeigniter4.github.io/userguide/outgoing/view_renderer.html#escaping-contexts

XSS_CLEAN doesn't work in CodeIgniter

The xss_clean() function does not remove all HTML, it removes/replaces specific things that are considered dangerous, like <script> tags.

http://codeigniter.com/user_guide/libraries/security.html

The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

Someone injecting a <p> tag into your page, while maybe not desired, is not really an effective attack. You'll have to specify what you want to do with it. In many cases, you will want HTML output that has been xss_clean()ed.

It sounds like you want either htmlspecialchars() or strip_tags() (note: these two very different things). If you want to encode the HTML, you can also use CI's html_escape():

echo html_escape($this->input->post('question'));

If you want HTML output and not entities, just use the XSS filter by itself:

echo $this->input->post('question', TRUE);
echo xss_clean($user_input);

Codeigniter safe queries and xss clean

I guess all insert or update data come from a form, if you go to application/config/config.php and set

$config['csrf_protection'] = FASLE;

to

$config['csrf_protection'] = TRUE;

this helpyou to filter all inputs (xss_clean)

How to remove xss_clean in CI3

xss_clean is used mainly with CI's form validation library. As stated in the comments, the best way to get rid of this error (if you don't need the features of xss_clean) would be to remove all instances of xss_clean from your validation rules.

Example of where you could find xss_clean in your app:

$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');

codeigniter form validation documentation

CodeIgniter xss_clean issue with large amount of html [in firefox]

Solved.

I went to Ellislab support and they told me that the function is no longer in use.
https://support.ellislab.com/bugs/detail/20646/the-e-modifier-is-deprecated-use-preg_replace_callback-instead

I copy the new core/Security.php and paste on mine and it's now working.


Related Topics

Reordering Checkout Fields in Woocommerce 3

Alter Table in Magento Setup Script Without Using SQL

PHP Create and Save a Txt File to Root Directory

Which Mime Type Should I Use for Mp3

How to Include Authorization Header in Curl Post Http Request in PHP

Send PHP HTML Mail with Attachments

Reading Mp4 Files with PHP

Can Someone Explain the /E Regex Modifier

Can't Concatenate 2 Arrays in PHP

Function List of PHP File

PHP Inserting Multiple Checkbox and Textbox Arrays into MySQL Database

How to Throttle My Site's API Users

Setup Http Expires Headers Using PHP and Apache

Subtract 1 Day with PHP

Detect If PHP Session Exists

How to Get Class Name in PHP

_Construct() VS Sameasclassname() for Constructor in PHP

PHP Validate Integer


Leave a reply



Submit