How to remove xss_clean in CI3 - codeigniter

I am new to CI and had just updated an old app developed by 3rd party developer and as I try to create any new record I get the following error:
Unable to access an error message corresponding to your field name `Field Name` .(xss_clean)
I have read many questions and answers on how to make it work, however, I have also read that this is a bad practice and would therefore like to get rid of xss_clean completely, but I just cannot seem to find straightforward information for how to do it.
Any help or guidance is much appreciated.

xss_clean is no longer part of form validation. The alternative is not to use it, as xss_clean is doing sanitization and not validation.
xss_clean is part of security helper. If you need to do it, after validation you do a:
$this->load->helper('security');
$value = $this->input->post('formvalue', TRUE);
// ...where TRUE enables the xss filtering
... i think...
Also, you can enable global xss filtering in the config.php file:
$config['global_xss_filtering'] = TRUE;
Or if you want to remove then you have to find all xss_clean used in validation and remove.

xss_clean is used mainly with CI's form validation library. As stated in the comments, the best way to get rid of this error (if you don't need the features of xss_clean) would be to remove all instances of xss_clean from your validation rules.
Example of where you could find xss_clean in your app:
$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');
codeigniter form validation documentation

Related

Codeigniter cannot validate the variable

valueWhen I want to validate posted value in Codeigniter, I do it in the following way:
$this->form_validation->set_rules('name', 'Name','required|xss_clean|strip_tags|trim|max_length[50]|alpha');
But I cannot understand how can I do the same validation for $name variable if it is grabbed from url like this:
$name = end($this->uri->segment_array());
I tried to do this and then validate in the same way
$this->form_validation->set_value('name', $name);
but validation did not pass. Could you please help me.
Technically we refer to this particular validation library as Form Validation which works on form data.
There are other methods such as using route files (which is a perfect tool in CI) that you can take advantage of for URL checking.
Beside any already-developed tools (like uri-validator), you can write your own validating functions.

Difference of xss clean and global xss filtering

I am a beginner codeigniter developer and need your help.
I have a form that the is submitted to a function in the controller and I want to apply the form_validation library rules on the post data received from the form.
All I need to know is this:
Does $config['global_xss_filtering'] switch in input class do the same job as xss_clean rule in form_validation class?
Yes it's same. If you have enabled $config['global_xss_filtering'] through the config file you don't have to call xss_clean in form validation,
but if you have switched off $config['global_xss_filtering'], you have to call xss_clean in form validation and also you have to add additional parameter (TRUE or FALSE) in input->post function as well in order to do xss filtering. see below.
$name = trim($this->input->post('name',TRUE));
This will be helpful if you are using WYSIWYG editor in your application, then you have to switch off $config['global_xss_filtering'] and you have to pass additional parameter in input->post function like above, TRUE - for enable filtering and FALSE for disabling (Wherever you use WYSIWYG editor).

Action you have requested is not allowed error

I made a module named Gallery which works fine on my localhost with version 2.0.3, but when using version 2.1.0 on a remote site I can not submit a form and I get the error:
The action you have requested is not allowed.
Why is this?
I agree with #Jhourlad Estrella on fixing the problems instead of disabling a security feature, however I feel that the real problem is with the hidden input field that holds the token.
Instead of using plain HTML to create a form element use the the form_open() and form_close() helper functions. The reason why is because when you use the helper function it automatically inserts the csrf token as a hidden field in the form.
You could do this manually as well by adding the token as a hidden input field in the form
<input type="hidden" name="csrf_hash_name" value="your-hash-value-here">
Doing it this way will allow you to stay protected from CSRF attacks and fix the problem you are having.
Hope this helps someone else out there as this was driving me nuts the first time figuring this out.
It is a Codeigniter error related to the CSRF protection. You can cancel it in cms/config/config.php
On matters of programming, you don't go around problems, you fix it. What I mean to say is, this feature won't be here if it is unusable: 'coz it is and it works for me. You just have a problem on the implementation.
My answer: Remove all dashes, periods and any other non-alphanumeric characters from the values of following entries on application/config/config.php as seen below:
$config['sess_cookie_name'] = 'mycookiename'; //instead of "my_cookie_name"
$config['csrf_token_name'] = 'mycsrftoken'; //instead of "my.csrf.token"
$config['csrf_cookie_name'] = 'mycsrfcookie'; //instead of "my/csrf/cookie"
BTW, dashes sometimes work but I suggest using single words whenever possible when naming config values. Not unless you have the time and skills to study Codeigniter's core files related to what ever you are working on just to make sure it's safe to do so.
Anyways, I hope this help somebody out there even though my answer is more than a year late.
I have a form that was built outside of CI (in Joomla), but that I wanted to process with CI. My fix was to selectively disable csrf for specific referrers. I added this to config, directly after the default config options for csrf:
/* Set csrf off for specific referrers */
$csrf_off = array(
"http://yourdomain.com/your-form-url",
"http://yourdomain.com/some-other-url"
);
if (isset($_SERVER["HTTP_REFERER"])) {
if (in_array($_SERVER["HTTP_REFERER"],$csrf_off)) {
$config['csrf_protection'] = false;
}
}
This disables csrf protection for specific URLs in the $csrf_off array, but leaves it intact for all other requests.
I have found using the form helper functions
Example
<?php echo form_open('controller/function');?>
<?php echo form_input('username', 'Username');?>
<?php echo form_close();?>
Using the helper functions like above should stop the CSRF error message showing.
If I don't use echo form_input() if I place just normal input will trigger the CSRF error when reload.
<?php echo form_open('controller/function');?>
<input type="text" name="username" />
<?php echo form_close();?>
So I recommend using all form helper functions now.
It is an old question but this same problem did cost me so much time that I wanted to share what the problem was in my case. It may help someone.
I am using Codeigniter 3.0.6 and CommunityAuth 3 together with it and I was getting this error after a login.
It was confusing since the problem would sometimes happen and would not other times.
My 'base_url' in CI's config.php was set to something like 'www.mysite.com'
When you browse the site with 'mysite.com' (notice 'www' is not in the address) and you do a form submission that uses CI's 'base_url' setting, like CommunityAuth's login does, then CSRF check fails and you get 'The action you have requested is not allowed.' error.
This error is thrown by the function csrf_show_error() in system/core/Security.php when the CSRF token in $_COOKIE doesn't match your $_POST['csrf_token_name'].
Inside config.php, I had to ensure that $config['cookie_domain'] matched $config['base_url'], without the protocol (i.e. http(s)://).
Otherwise, the cookie wasn't being passed which meant the match couldn't be made.
Use the codeigniter form opener like this:
<php echo form_open(url,method,attributes);?>
see codeigniter form documentation for more.
This is probably a rare case, but I didn't see my issue since my server has many different domain names that are very similar. The problem was that I was landing on a domain that was completely wrong, but since "The action you have requested is not allowed." error takes precedence over " 404 Not Found Error" I couldn't see it. My problem was that I didn't change my base_url to the correct domain. So if none of the above solutions work for you, you might check your settings for $config['base_url'] in application/config.
For me the problem was that I was loading the view in the index, than I changed as follow and it worked:
public function index()
{
// Load Login Page
redirect('login/login_page','refresh');
}
public function login_page()
{
$data['title'] = 'Login Page';
$this->load->view('templates/header', $data);
$this->load->view('users/login_view', $data);
$this->load->view('templates/footer');
}
Im Using Codeigniter 3 same problem with
The action you have requested is not allowed.
Based on Isaac Pak's point, i changed my base_url to what i usally typed at the address bar. like this...
instead of putting
http://www.domain.org
i write it this way..
http://domain.org
since my base_url() is just..
$config['base_url'] = 'http://domain.org/';
the fix works for my site...

How do you validate an archetype field that is not required, but if you give it, you should validate?

Products.validation has some validators (like regex) that I would like to use in some non required fields.
So, the use case is: The validation is required, but only if the field is not empty.
How do you do it? I know I can create a custom validator, check the REQUEST and do all the magic, but this seens wrong to me: I should avoid creating custom code since I should just register the RegexValidators from Products.validation and use it. I tried to understand V_SUFFICIENT and register a regex validator using it, but isn't applicable to my situation.
I couldn't find anything on the internet, on mailing lists, on nabble, etc. So, how do you validate your fields that aren't required, but if the user provides something, you then need to validate?
I need this in a Plone 3.3.5 instance.
You can use required = False and your desired validators:
http://plone.org/documentation/manual/developer-manual/archetypes/fields/fields-reference#common-field-attributes

xss protection and html purifier

I am currently using the CodeIgniter framework, and looking to strengthen the XSS protection by using HTMLPurifier (http://htmlpurifier.org/).
Is my understanding correct that you want to 'clean' data on post, so that its purified before its inserted into the Database? Or do I run it before displaying in the view?
If so, do I want to run HTMLPurifier on every single post that takes place? Since the app contains a lot of forms, I'd hate to have to selectively choose what gets cleaned and what doesnt - assuming that I can intercept all posts, is this the way to go? Of course, I validate some fields anyway (like email addresses, numeric numbers, etc)
Use $this->input->post() to get $_POST data. Codeigniter filters it automatically if global xss filter is set to true.
See the docs: http://codeigniter.com/user_guide/libraries/input.html
Edit: to clarify
Yes you should filter before inserting into the DB and yes you should filter all user input.
A quick google search, http://www.google.com/search?q=codeigniter+htmlpurifier, led to this page: http://codeigniter.com/wiki/htmlpurifier which is a helper for htmlpurifier. Regarding catching all $_POST data: you have to do something with the data, right? In your models, when you're doing that something, just make purify() part of that process:
$postdata = purify($_POST);

Resources