All geek questions in one place

The dictate dilemma of Codeigniter xss_clean

I know that this question was asked again and again, but so far I have not found the perfect answer to my taste, so here it goes again ...

I read many and many polarizing comments about CI xss_filter. Basically, most say it is bad. Can someone clarify how bad this is, or at least give 1 the most likely scenario where it can be used? I looked at the security class in CI 2.1, and I think it is pretty good, since it does not allow the use of malicious strings like document.cookie, document.write, etc.

If the site has a mostly non-html presentation, is it safe to use the global xss_filter (or, if it REALLY affects performance so much, use it based on each form) before inserting it into the database? I read about the pros and cons of whether I / O with a majority of votes should be avoided, which should be avoided only at the output. But then again, why allow storing <a href="javascript:stealCookie()">Click Me</a> in the database?

The only thing I don't like is javascript: and they will be converted to [removed] . Can I expand the CI $_never_allowed_str security kernel arrays so that never-allowed strings are returned empty, not [removed] .

The best reasonable example of an error that I read is if the user has a javascript:123 password javascript:123 , it will be cleared to [removed]123 , which means that a line like this document.write123 will also pass as the user's password. Again, what is the likelihood that this will happen, and even if it does, I cannot think of any real harm that the site could cause.

thanks

+4
source share
1 answer

Basically, XSS is an OUTPUT problem, but Codeigniter sees it as an INPUT problem.

Can someone clarify how bad this is ...

The problem is that xss_clean modifies your INPUT - which means in some scenarios (for example, the password problem you described), the input is not what is expected.

... or at least give 1 the most likely scenario in which it can be used?

It searches only specific keywords such as "javascript". There are other script actions that xss_clean does not detect, plus it does not protect you from any "new" attacks.

The only thing I don't like is javascript: and this will be converted to [deleted]. Can I extend the CI $ _never_allowed_str security kernel kernels so that never-allowed strings are returned empty and not [deleted]

You could do it, but just put a gang on a bad decision.

I read about the pros and cons regarding whether I / O with a majority of votes should be avoided, which we should avoid only on output.

This is the correct answer - avoid ALL of your output, and you have real XSS protection without changing the input.

OWASP Explains More About XSS Here

Check out the good Codeigniter forum thread on XSS

Personally, my approach to protecting XSS in Codeigniter is that I don't do any XSS cleaning on the inputs. I run the hook on _output - which clears all my "view_data" (this is the variable that I use to send data to the views).

I can switch if I do not want XSS Clean to start by inserting into my controller "$ view_data ['clean_output] = false", which checks the hook:

 if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output'])) { // Apply to all in the list $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data); }

This gives me automatic and complete XSS protection on my site - just a couple of lines of code and lack of performance.

+4
source

Source: https://habr.com/ru/post/1416506/

More articles:


All Articles