Found this very weird bug today after updating to 2.0.2. If i tried to insert an image into ckeditor and set it’s dimensions via the editor form, the generated inline style would not save to the database after POST.
I do not have any other type of POST filtering other than this option enabled in config.php. After I’ve set it to FALSE, it saved ok.
Same here. Switching off XSS_filter all tags (style) go through well. I think it’s not a problem with my current project because I use Tinymce behind admin area..
And, in 1.7.x were all good.
Confirmed. XSS_filtering is the culprit here. I’ve built 7 websites with Tinymce since CI 2.0 release and everything worked well. But the latest project was given CI 2.0.2 and when concocted with Tinymce it filters out image alignment.
I’m not sure I feel comfortable with XSS filtering disabled. Perhaps we could add an exception somewhere? Interestingly properties like “width” are not filtered out. It seems that “style” definition gets removed.
Confirmed. XSS_filtering is the culprit here. I’ve built 7 websites with Tinymce since CI 2.0 release and everything worked well. But the latest project was given CI 2.0.2 and when concocted with Tinymce it filters out image alignment.
I’m not sure I feel comfortable with XSS filtering disabled. Perhaps we could add an exception somewhere? Interestingly properties like “width” are not filtered out. It seems that “style” definition gets removed.
Yes only style property filtered out. I set FALSE the global xss filtering, I use it manually, and with variables filled from tinymce textarea I use htmlentities and html_entitiy_decode, dunno it’s reasonable protection or not..
yep, same here with CodeIgniter 2.0.2. After turning off global_xss filtering everything works like a charm.
But i still want to use it so i made quick workaround.
In file system/core/security i modified function _remove_evil_attributes (around line 579).
// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns $allowed = array(your allowed url's without domain like '/admin/edittext/'); if(in_array($_SERVER['REQUEST_URI'],$allowed)){ $evil_attributes = array('on\w*', 'xmlns'); }else{ $evil_attributes = array('on\w*', 'style', 'xmlns'); }
Very strange ....
cannot send html content from POST form… I use ckeditor, and after post, every html tag is cleaning. This in localhost (CI 2.0.2, php 5.3)
BUT… in my host, work fine…................ (CI 2.0.2, php 5.2)
Both use same config.
I try remove ckeditor… but same result.
I did var_dump($_POST), and the content is clean too..
I just removed the element ‘style’ from that array in the core and it worked again. Why is that even there? What malicious code can someone put in a style tag?
Is this really a CI 2.02 bug? Just lost a whole hour trying to figure out what’s wrong with the ckeditor aligment.
Disabling global XSS on config worked.
Is there a way to disable global for this specific field? Or any other workaround available?
Btw, Sudhakar@CI, implement ckeditor on CI is a breeze. Have you checked the forum?
http://codeigniter.com/forums/viewthread/127374/
Or even CI wiki?
Can anyone share some toughts on this issue? I need to save html on this project. Disabling styles on POST is the reason why my client clients are goin bananas and disable global XSS is not an option as well.
Thanks.
Just checked another post (http://codeigniter.com/forums/viewthread/191399/#903478) where bubbafoley suggested:
Hi hyperfire,
Not really a bug but the CI guys decided that the style attribute is “evil”. Perhaps it is, I’m not aware of it causing security issues, but it doesn’t seem like there is a way to remove it from the list of evil attributes other than modifying one of the core functions (outlined above). I simply removed it from the evil attribute lists and everything works. Has to do until a fix is available. Would be nice to a configurable evil attribute list.
Well, as I had to move on, I have decided to disable the global xss filtering (a real PITA because all forms had to be updated, etc) and to implement the html purifier (with a gentle help of the html purifier CI lib http://codeigniter.com/wiki/htmlpurifier/) for the fields with ckeditor enabled. I feel safe now. (sort of, lol)
We turned off the XSS filtering in the config file and extended the Input class. We turned on XSS filtering as default for every function in our MY_Input. So as long as we don’t sent a “FALSE” as second parameter in functions like $this->input->post(), the field is XSS filtered.
We also extended the Securty class with our own MY_Security. When a FALSE is sent to $this->input->post(), the field gets still XSS cleaned, but only then with less options. The style tag for example ain’t filtered.
This way our regular fields are filtered the normal way and our CKEditor fields are filtered, but not as thoroughly as the regular fields. Seems to work quiet okay this way
