tf2012
asked on
CodeIgniter XSS confusion
It seems to me XSS attacks insert malicious scripts/elements/links into the server side output before it is rendered by the browser. From what I understand the user opens the page and the embedded exploit takes action within the browser.
CodeIgniter 3.1 has a security class and a method xss_clean() that can be used to scrub data, presumably output data before rendering in keeping with the definition of an xss attack.
In the config there is a deprecated setting to apply xss filtering globally. It is accompanied by a warning that it is deprecated. Ok so don't use the global xss filtering, I get it.
So does this mean that in every input from ajax or forms that hit the controller via $this->post->input('my_var '); needs to be somehow sanitized? How?
I recall reading somewhere that CodeIgniter automatically 'sanitizes' post inputs when called using the input class. But I can't find any evidence of that in the documentation. https://www.codeigniter.com/user_guide/libraries/input.html
It simply says security filtering input is called automatically when a new controller is invoked but I still can't see any clear statement that some kind of filtering or sanitizing takes place on post inputs. Can someone help me better understand how this is taking place automatically.
As I'm typing this I'm thinking that I could have tested it manually to check for input sanitizing and I will, but I'm interested in some expert comments on this.
Thanks!
CodeIgniter 3.1 has a security class and a method xss_clean() that can be used to scrub data, presumably output data before rendering in keeping with the definition of an xss attack.
In the config there is a deprecated setting to apply xss filtering globally. It is accompanied by a warning that it is deprecated. Ok so don't use the global xss filtering, I get it.
So does this mean that in every input from ajax or forms that hit the controller via $this->post->input('my_var
I recall reading somewhere that CodeIgniter automatically 'sanitizes' post inputs when called using the input class. But I can't find any evidence of that in the documentation. https://www.codeigniter.com/user_guide/libraries/input.html
It simply says security filtering input is called automatically when a new controller is invoked but I still can't see any clear statement that some kind of filtering or sanitizing takes place on post inputs. Can someone help me better understand how this is taking place automatically.
As I'm typing this I'm thinking that I could have tested it manually to check for input sanitizing and I will, but I'm interested in some expert comments on this.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Strip the apostrophesThere is usually no need to do that, and it may be troublesome. For example, what if you have a client named O'Reilly? We use an escape sequence (typically a backslash) to tell the DB that we should preserve the apostrophe as part of the data, rather than use the apostrophe as if it had semantic meaning in the query string.
SQL injectionThis occurs when an unauthorized source can change a SQL query string. See XKCD 327. It's only tangentially related to XSS.
Probably good that you tested this! If you turn on the XSS filter and use "view source" you should be able to see the entities in the browser output. And if that's the case, you're probably on firm ground.
ASKER
thanks
ASKER
Thanks, I understand you aren't talking about CodeIgniter specifically and just did some testing using your alert() example.
CodeIgniter does strip the apostrophes before inserting into the DB which I suppose is great for avoiding SQL injection. However I did find that views in my test project rendered the malformed script elements from the DB without escaping the special characters.
This tells me I can't blindly trust that it's being handled by Code Igniter and I need to either manually escape as you suggest or invoke the XSS filter prior to output since it clearly isn't happening by default.