Codeigniter xss_clean dilemma
Posted
by
Henson
on Stack Overflow
See other posts from Stack Overflow
or by Henson
Published on 2012-06-07T04:35:57Z
Indexed on
2012/06/07
4:40 UTC
Read the original article
Hit count: 142
I know this question has been asked over and over again, but I still haven't found the perfect answer for my liking, so here it goes again...
I've been reading lots and lots polarizing comments about CI's xss_filter. Basically majority says that it's bad. Can someone elaborate how it's bad, or at least give 1 most probable scenario where it can be exploited? I've looked at the security class in CI 2.1 and I think it's pretty good as it doesn't allow malicious strings like document.cookie, document.write, etc.
If the site has basically non-html presentation, is it safe to use global xss_filter (or if it's REALLY affecting performance that much, use it on per form post basis) before inserting to database ? I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only. But then again, why allow strings like <a href="javascript:stealCookie()">Click Me</a>
to be saved in the database at all?
The one thing I don't like is javascript:
and such will be converted to [removed]
. Can I extend the CI's security core $_never_allowed_str
arrays so that the never allowed strings return empty rather than [removed]
.
The best reasonable wrongdoing example of this I've read is if a user has password of javascript:123
it will be cleaned into [removed]123
which means string like this document.write123
will also pass as the user's password. Then again, what is the odds of that to happen and even if it happens, I can't think of any real harm that can do to the site.
Thanks
© Stack Overflow or respective owner