XSS filtering on CodeIgniter form

php codeigniter model-view-controller view controller

12,479

Solution 1

First of all set $config['global_xss_filtering'] = FALSE; You don't need or want this on all the time. This config setting is officially deprecated. It will likely disapear in the future.

Second, if you are using version 3.0.x then remove ‘xss_clean’ from your validation rules. It is not on the officially supported list of form validation rules.

The place where you can employ XSS filtering is when using the Input Class to fetch data from POST, GET, COOKIE or SERVER. Most of the input methods have a second param that enables running the data through xss_clean(). Example: $this->input->post('some_data', TRUE); Will get the value of $_POST['some_data']and run it through xss_clean(). If the second param is FALSE (or omitted) xss_clean() will not be used.

Solution 2

I don't agree with DFriend's answer.

Per CodeIgniter documentation:

XSS escaping should be performed on output, not input!

So the solution he proposed would actually do the same of the deprecated global configuration $config['global_xss_filtering'] = TRUE;, with the difference of adding much more code and manual work to add an extra bollean parameter for each $this->input->post.

The proper way is to use the set_value on your views:

<input type="password" name="mdp" value="<?=set_value('mdp')?>" />

This function filters XSS vulnerabilities by default:

set_value($field[, $default = ''[, $html_escape = TRUE]])

12,479

Author by

Mr.Smith67

Updated on June 04, 2022

Comments

Mr.Smith67 almost 2 years

I am currently learning the framework "CodeIgniter". But I have a problem for my Form validation. First, let me show you my view :

<form method="post" action="connexion">
  <label for="pseudo">Pseudo : </label>
  <input type="text" name="pseudo" value="" />

  <label for="mdp">Mot de passe :</label>
  <input type="password" name="mdp" value="" />

  <input type="submit" value="Envoyer" /></form>

My controller :

public function connexion()
{
    $this->load->library('form_validation');

    $this->form_validation->set_rules('pseudo', '"user name"', 'trim|required|min_length[5]|max_length[52]|alpha_dash|encode_php_tags|xss_clean');
    $this->form_validation->set_rules('mdp',    '"password"',       'trim|required|min_length[5]|max_length[52]|alpha_dash|encode_php_tags|xss_clean');

    if($this->form_validation->run())
    {
        $this->load->view('connexion_ok');
    }
    else
    {
        $this->load->view('form');
    }
}

When I remove the "xss_clean" filter in my controller in the set_rules(), it works perfectly, the form is valid. If the "xss_clean" is present, it doesn't work, it goes in the else. I don't use special chars in my input, only letters.

In the settings I put this on true : $config['global_xss_filtering'] = TRUE;

I read somewhere the "xss_clean" filter is useless. What else can I use ? Maybe helpers or something else ? Thank you