As we all know $this->input->post('$myvariable',TRUE) is XSS filtered. But is there any way i can prevent HTML Injection in the same.I read few articles but none of them give clear idea from where to start.Any Help ?
$this->input->post('variable',TRUE);
When you add TRUE it will filter all your Injections (SQL, XSS).
As well as load this $config['global_xss_filtering'] = TRUE; in application/config
Info : The Input class has the ability to filter input automatically to prevent cross-site scripting attacks.
And you can use
html_escape()
Info : This function provides short cut for htmlspecialchars() function. It accepts string and array. To prevent Cross Site Scripting (XSS), it is very useful.
and this
remove_invisible_characters()
Info : This function prevents inserting null characters between ascii characters, like Java\0script.
Related
CodeIgniter provides a couple of convenient APIs for XSS filtering.
'global_xss_filtering' in config.php.
'xss_clean' rule for individual fields, when using the form validation library.
If you use this feature, does it avoid the need to escape fields when outputting them?
There are some situations where xss_clean will not protect you. Issue 470 includes this example:
public function index()
{
$name = $this->security->xss_clean('hover me" onmouseover=alert("XSS2") "');
echo '</div>Name:<input value="'.$name.'">';
echo '</body></html>';
}
The response from developers was that this is by design, and to suggest that $name should have been escaped using form_prep().
If you use set_value('field-name', 'default') in order to preserve user input when a form fails validation), that will ... attempt to call form_prep() for you. The caveat is that if you don't have the form validation library loaded, it won't escape the 'default' parameter. (Issue 1781, fixed in 3.0-dev).
If you are running the current 3.0-dev, then form_prep() is more specific about which characters it escapes. It should avoid XSS either way; it just has unexpected results in some situations. E.g. if you try to enter a literal "&" in 3.0-dev, and then the form fails validation, the field value will change to & without warning. This change was an attempt to work around problems with double-escaping (issue 1953).
I have a simple web application in which I make a call to a java servlet using ajax from a jsp page (via post). In the servlet I take data from the database and formulate a JSON and retreive in the jsp page . I then use eval function to parse the json and display the data in the division using the innerHTML property . Somehow, this approach seems to be vulnerable to xss attacks . Can someone provide some pointers on how XSS attck can be prevented in this use case?
This sounds like DOM Based XSS. There are a few ways of preventing DOM Based XSS. Either you have to html encode the data on the server or the client. HTML encoding data in the database should always be avoided because it changes the value of the data and will affect how the data is sorted, ect. XSS is an output problem so it should be solved by the code that is building the HTML, which in your case is JavaScript.
Newer browsers support JSON.parse().For older browsers use json2.js.
You should also properly encode the JSON so values cannot break out of quotes etc. Find a decent json encoder and use that on the server side.
I am currently using the CodeIgniter framework, and looking to strengthen the XSS protection by using HTMLPurifier (http://htmlpurifier.org/).
Is my understanding correct that you want to 'clean' data on post, so that its purified before its inserted into the Database? Or do I run it before displaying in the view?
If so, do I want to run HTMLPurifier on every single post that takes place? Since the app contains a lot of forms, I'd hate to have to selectively choose what gets cleaned and what doesnt - assuming that I can intercept all posts, is this the way to go? Of course, I validate some fields anyway (like email addresses, numeric numbers, etc)
Use $this->input->post() to get $_POST data. Codeigniter filters it automatically if global xss filter is set to true.
See the docs: http://codeigniter.com/user_guide/libraries/input.html
Edit: to clarify
Yes you should filter before inserting into the DB and yes you should filter all user input.
A quick google search, http://www.google.com/search?q=codeigniter+htmlpurifier, led to this page: http://codeigniter.com/wiki/htmlpurifier which is a helper for htmlpurifier. Regarding catching all $_POST data: you have to do something with the data, right? In your models, when you're doing that something, just make purify() part of that process:
$postdata = purify($_POST);
Why does CodeIgniter's XSS filter only react through regular expressions on specific things instead of sanitizing all input in the first place regardless if the content is tainted or not? Also, why is this done during input and not on output (like it's supposed to be?)
Why does CodeIgniter's XSS filter only react through regular expressions on specific things instead of sanitizing all input in the first place regardless if the content is tainted or not?
This doesn't make much sense. How are we to tell whether or not something is "tainted" without checking it first?
By the definition of CI's xss_clean(), we don't always want to sanitize input. As you mentioned, it's the output that matters - and that's where we need to be mindful of XSS atacks. If we always "sanitize" input with CI's xss_clean(), then how would I, for one example, be able to post javascript or PHP code examples on my blog, or let users do it in the comments? It would end up getting [removed].
Also, why is this done during input and not on output (like it's supposed to be?)
You do have the option to enable the global xss filter in your CI config, which will run xss_clean() on $_POST, $_GET, and $_COOKIE data automatically before you can get your hands on it. This is the lowest level possible to protect you from yourself, bu the option is always available to instead clean the data explicitly. For example:
// With the Input class on $_POST data
$this->input->post('username', TRUE); // Second parameter runs xss_clean
// Using the Security class on any data
$this->security->xss_clean($username);
// Using the Form Validation class to automatically clean the input
$this->form_validation->set_rules('username', '', 'xss_clean');
Since you could still simply use $_POST['username'] instead, by enabling the global filter it will already be xss_cleaned for you. This is the lazy way to do it, and unfortunately once those globals are cleaned, there's no way to undo it.
If you are already aware of when and where XSS attacks can happen - you have the function easily available to use if you wish. Keep in mind that this does not magically make all data "safe", it merely prevents some of the more malicious code injection. Something more harmless like </div> will get past this filter. You should always be sanitizing input explicitly in an appropriate way for the context in which it is used.
since i'm using something like http://mywebsite.web/{nickname}/dostuff i was wondering if there's a standard validation for the "nickname" string so that it won't contain reserved characters and stuff like that
I haven't come across any such functionality in Restlet, but what you could do is to get the value of {nickname} in your resource that is handling that URL, and validate it with a regular expression.