Link to home
Start Free TrialLog in
Avatar of tf2012
tf2012

asked on

CodeIgniter XSS confusion

It seems to me XSS attacks insert malicious scripts/elements/links into the server side output before it is rendered by the browser.  From what I understand the user opens the page and the embedded exploit takes action within the browser.

CodeIgniter 3.1 has a security class  and a method xss_clean() that can be used to scrub data, presumably output data before rendering in keeping with the definition of an xss attack.

In the config there is a deprecated setting to apply xss filtering globally.  It is accompanied by a warning that it is deprecated.  Ok so don't use the global xss filtering, I get it.

So does this mean that in every input from ajax or forms that hit the controller via $this->post->input('my_var'); needs to be somehow sanitized?  How?

I recall reading somewhere that  CodeIgniter automatically 'sanitizes' post inputs when called using the input class.  But I can't find any evidence of that in the documentation.   https://www.codeigniter.com/user_guide/libraries/input.html

It simply says security filtering input is called automatically when a new controller is invoked but I still can't see any clear statement that some kind of filtering or sanitizing takes place on post inputs.  Can someone help me better understand how this is taking place automatically.

As I'm typing this I'm thinking that I could have tested it manually to check for input sanitizing and I will, but I'm interested in some expert comments on this.

Thanks!
ASKER CERTIFIED SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tf2012
tf2012

ASKER

@Ray
Thanks, I understand you aren't talking about CodeIgniter specifically and just did some testing using your alert() example.

CodeIgniter does strip the apostrophes before inserting into the DB which I suppose is great for avoiding SQL injection.  However I did find that views in my test project rendered the malformed script elements from the DB without escaping the special characters.

This tells me I can't blindly trust that it's being handled by Code Igniter and I need to either manually escape as you suggest or invoke the XSS filter prior to output since it clearly isn't happening by default.
SOLUTION
Avatar of Julian Hansen
Julian Hansen
Flag of South Africa image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Strip the apostrophes
There is usually no need to do that, and it may be troublesome.  For example, what if you have a client named O'Reilly?  We use an escape sequence (typically a backslash) to tell the DB that we should preserve the apostrophe as part of the data, rather than use the apostrophe as if it had semantic meaning in the query string.
SQL injection
This occurs when an unauthorized source can change a SQL query string.  See XKCD 327.  It's only tangentially related to XSS.

Probably good that you tested this!  If you turn on the XSS filter and use "view source" you should be able to see the entities in the browser output.  And if that's the case, you're probably on firm ground.
Avatar of tf2012

ASKER

thanks