3

I am working on a book listing website and have run into a problem with codeigniter's xss filtering. When the form is submitted to create a listing, any title that includes "Javascript:" gets replaced with "[REMOVED]". I have tried accessing the data from the POST array like this: 

$title = $_POST['title'];

to avoid using the Input class but it is still somehow getting filtered. Is there any way around this that does not involve turning global_xss_filtering off?

Improve this question
1

1 Answer 1

Reset to default
9

Is there any way around this that does not involve turning global_xss_filtering off?

Nope, sorry. You have to turn it off because it alters the raw post data early in CI's execution.

I could rant for 5 pages about the proper use of the xss filter, but I'll try and keep it concise:

  • Filter output, not input
  • Always keep the context in mind and escape appropriately (is this HTML? SQL? javascript? text file?)
  • The global filter is a security blanket. You can remove it once you know what you're doing.

Here's just one of many tragic examples of why the global XSS filter is a bad idea:

  • A user signs up for an account, and sets his password to document.write123
  • You process the password, and end up hashing the string [removed]123

  • Now, the user can log in with any of the following passwords, because those will also get turned into [removed]123 by the filter before you hash them to validate:

    • <script>123
    • document.write123
    • document.cookie123
    • etcetera...

That shouldn't happen. A user shouldn't be able to log in with multiple passwords (unless it's by design... I suppose).

Also, good luck saving any of your blog posts that use <iframe>s... YouTube videos for example.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Can you explain why we should filter the output and not the input? I'm really interested to know why, because so far I've always filter the input.
Because the output is context sensitive, and PHP cannot figure out what the data is used for - you have to tell it how to escape properly. If you filter your input, you taint the original data and cannot recover it. If you filter the output, the original data remains intact. Suppose I want users to post code samples (like on this site). Using a "dumb" global filter would make this impossible. Another side effect it can have is you start to "trust" all user data implicitly, which is bad. Also, if the XSS filter is improved, you'd want to take advantage of it, on your output.
Besides, the global XSS filter runs on all get, post, and cookie data, on every request, and it's rather slow and sometimes - even silly. For example, removing things like <blink> and alert(), which any real hacker would never bother with. Sure those things can be disruptive, but that's not the point of XSS.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.