I know this question has been asked over and over again, but I still haven't found the perfect answer for my liking, so here it goes again...
I've been reading lots and lots polarizing comments about CI's xss_filter. Basically majority says that it's bad. Can someone elaborate how it's bad, or at least give 1 most probable scenario where it can be exploited? I've looked at the security class in CI 2.1 and I think it's pretty good as it doesn't allow malicious strings like document.cookie, document.write, etc.
If the site has basically non-html presentation, is it safe to use global xss_filter (or if it's REALLY affecting performance that much, use it on per form post basis) before inserting to database ? I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only. But then again, why allow strings like <a href="javascript:stealCookie()">Click Me</a> to be saved in the database at all?
The one thing I don't like is javascript: and such will be converted to [removed]. Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed].
The best reasonable wrongdoing example of this I've read is if a user has password of javascript:123 it will be cleaned into [removed]123 which means string like this document.write123 will also pass as the user's password. Then again, what is the odds of that to happen and even if it happens, I can't think of any real harm that can do to the site.
Thanks
Basically XSS is an OUTPUT problem - but Codeigniter deals with it as an INPUT problem.
Can someone elaborate how it's bad...
The problem is xss_clean alters your INPUT - meaning in some scenarios (like the password issue you have described) the input is not what is expected.
...or at least give 1 most probable scenario where it can be exploited?
It only looks for certain key words, such as "javascript". There are other script actions which xss_clean does not detect, plus it wont protect you against any "new" attacks.
The one thing I don't like is javascript: and such will be converted to [removed]. Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed]
You could do this - but your just putting a bandaid on a poor solution.
I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only.
This is the correct answer - escape ALL your output, and you have true XSS protection, without altering the input.
OWASP explains more on XSS here
See a good Codeigniter forum thread on XSS
Personally my approach to XSS protection in Codeigniter is I do not do ANY XSS cleaning on the inputs. I run a hook on the _output - which cleans all my “view_data” (which is the variable I use to send data to the views).
I can toggle if I dont want the XSS Clean to run by inserting a “$view_data[‘clean_output’] = false” in my controller, which the hook checks:
if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))
{
// Apply to all in the list
$this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);
}
This gives me automatic and full XSS protection on my whole site -with just a couple of lines of code and no performance hit.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 狗以群分 的文章《Codeigniter xss_clean dilemma》','https://www.manongdao.com/article-353625.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}