Part of the EllisLab Network
CodeIgniter  >   Forum Home  >  CodeIgniter Development Forums  >  Help, is this a bug?  >  Thread
   
2 of 2
Prev
1
2
GLOBAL XSS FILTERING on 2.0.2 and CKEDITOR
 
ducuytran
Posted: 30 July 2011 07:09 AM   [ Ignore ]   [ # 16 ]  
Summer Student
Total Posts:  3
Joined  06-12-2010

In Security.php
“style” is considered an evil attribute (line 581). So, if you want to turn global xss filter on and using WYSIWYG editor, you know what to do.

I mean, inherit and customize.
Profile
 
 
Lawrence Leung
Posted: 10 August 2011 03:10 AM   [ Ignore ]   [ # 17 ]  
Summer Student
Avatar
Total Posts:  7
Joined  02-06-2011
hyperfire - 22 July 2011 04:14 AM

Is this really a CI 2.02 bug? Just lost a whole hour trying to figure out what’s wrong with the ckeditor aligment.
Disabling global XSS on config worked.
Is there a way to disable global for this specific field? Or any other workaround available?

Btw, Sudhakar@CI, implement ckeditor on CI is a breeze. Have you checked the forum?
http://codeigniter.com/forums/viewthread/127374/
Or even CI wiki?

Can anyone share some toughts on this issue? I need to save html on this project. Disabling styles on POST is the reason why my client clients are goin bananas and disable global XSS is not an option as well.

Thanks.


Just checked another post (http://codeigniter.com/forums/viewthread/191399/#903478) where bubbafoley suggested:

$config['global_xss_filtering'TRUE

and then

$username $this->input->post('username'); // filtered
$password $this->input->post('password'FALSE); // unfiltered 

But this does not work. Anyone?

Yes, that doesn’t work (I think it should be work, otherwise the False parameter is useless). So I simply remove the ‘style’ in system/core/security/_remove_evil_attributes
Profile
 
 
nikes
Posted: 12 August 2011 02:50 AM   [ Ignore ]   [ # 18 ]  
Grad Student
Avatar
Rank
Total Posts:  33
Joined  07-25-2011

please help me.

 Signature 

Welcome to my web site:www.dailygames365.com|www.dailyarcadegames1.com
Profile
 
 
P.T.
Posted: 12 August 2011 09:51 AM   [ Ignore ]   [ # 19 ]  
Summer Student
Total Posts:  28
Joined  09-06-2008

When you set global_xss_filtering on TRUE, it will filter all post variables already at the start of the application. Before you even had the chance to call $this->input->post(). So sending a TRUE or FALSE in this post method has no use as long as you keep the global_xss_filtering on TRUE:

You can always check my solution:
http://codeigniter.com/forums/viewthread/186100/#919438
Profile
 
 
nikes
Posted: 13 August 2011 10:44 PM   [ Ignore ]   [ # 20 ]  
Grad Student
Avatar
Rank
Total Posts:  33
Joined  07-25-2011

I’ve obtained identical problem, any fix for this?

 Signature 

Welcome to my web site:www.dailygames365.com|www.dailyarcadegames1.com
Profile
 
 
mikedfunk
Posted: 07 September 2011 12:59 PM   [ Ignore ]   [ # 21 ]  
Summer Student
Avatar
Total Posts:  25
Joined  01-31-2007

I ended up doing this:

* turned global xss filtering off in the config file
* added it back in on every post value in my validation functions

foreach ($_POST as $key => $value)
{
   $_POST[$key] $this->security->xss_clean($value);

* for the ones that required the style tag, didn’t xss filter those post values only
Profile
 
 
GreGre
Posted: 22 November 2011 02:17 PM   [ Ignore ]   [ # 22 ]  
Summer Student
Avatar
Total Posts:  10
Joined  09-22-2009

1. In such case it’s also a bug, because it does sometimes a very ugly job, even breaking the html.
2. Such a new feature SHOULD be mentioned in the change log.
Profile
 
 
Amixel
Posted: 08 February 2012 01:48 PM   [ Ignore ]   [ # 23 ]  
Summer Student
Total Posts:  1
Joined  02-08-2012

solution to this, let

config ['global_xss_filtering'FALSE


and inputs that need to be safe place like this:

password = $ this-> input-> post ('password'TRUE); / / Filtered 
Profile
 
 
   
2 of 2
Prev
1
2
 
‹‹ GZip handling      redirect and come back of my navigator ››
Powered By ExpressionEngine
ExpressionEngine Discussion Forum - Version 3.1.5 (20110621)
Script Executed in 1.1526 seconds
Atom Feed   RSS 2.0