I found several posts stating that xss_clean is not sufficient for sanitizing user input. Many of them suggested to use htmlpurifier in codeigniter.
I don't know what htmlpurifier exactly does and how it does. How to implement html purifier.
Please guide.
xss_clean actually isn't half bad, just don't expect it to be a magic bullet in the sense of 'I use xss_clean, now my whole website is secure'.
You still have to validate input and escape output. Simply put: you have to maintain control over what people can enter in your website, and you shouldn't trust anything that is in your database, so you escape the data before you use it or show it. If you use xss_clean and form validation for sanitizing the input and you escape the output before doing anything with it or showing it, you should be just fine.
Good reads:
Codeigniter xss_clean dilemma
and
http://codeigniter.com/forums/viewthread/188698
Related
I'm new to Laravel 7 and wondering if there's an out-of-the-box, elegant solution to sanitizing HTML form inputs? Or maybe a trusted third-party package I can download that you recommend? This is for data I will store in a database. Thanks for any help.
One recommended out-of-the-box way of sanitizing data is using the filter_var function that comes with PHP in conjunction with the different sanitize filters. By the way, this is also a cool way to validate input, take a look at the types of filters to find out more.
When working in Laravel projects, I like to use voku/portable-ascii library, because it's already a framework dependency. It is a nice assortment of functions to clean input, remove non-printable characters, and to generally transform any input into ASCII, complete with transliteration and whatnot. It's not always perfect, but usually good enough and gets the job done.
It always depends on what you want to sanitize, how, and why. In many situations you do not need to sanitize the input at all if you stick to the best practices. When working with Eloquent or the Query Builder, your data is automatically escaped and on retrieval, when you output it e.g. via {{ $data }}, they will be properly escaped too.
There are some situations where you should be more cautious, especially if you are handling the raw user input yourself and probably passing it to the system in command line parameters, filenames or such. In those cases it is usually a good idea to be as restrictive as possible and as permissive as necessary. Sometimes a good old preg_replace('/[^0-9A-Z_-]/i', '', $subject) is just the right choice. If you want to be as permissive as possible, give the suggestions above a try.
I know that to prevent XSS, we need to be context aware.
when we do echo $userinput; we need to be aware of the fact that if that input goes into a textbox value, or into textarea value or into a division html area and so on.
I'd like to simplify the echo business so that I can use a single function for most of my echo needs. with that in mind, I put together the following function but I'm not sure, if it's a good idea to rely on it.
Of course, I made some assumptions.
That is I always use the built in urlencode for urls. And I religiously delimit attributes with either ' or ".
With this in mind, can I use the below safeecho as opposed to the plain echo to prevent XSS?
function safeecho($str)
{
return htmlentities($str, ENT_QUOTES, "UTF-8");
}
One thing I'm not sure is the <Style> context. I've seen people talk about the "expressions" issue with stylesheets. I'm not sure how that is dealt with though. But since I do not plan on outputting userinput in the midst of a stylesheet, or javascript, I am not worried about those things much! When I find myself that I need to output userinput in the js area or stylesheet, I won't use this function. But I'm still interested in your comments as to how to deal with those context too. But again, I'm mostly worried about the common stuff that is html and form objects.
The bottom line question is by forcing the utf8 and ent_quotes , am I safe?
Does htmlentities escape '. If so it should be mostly ok. There is always the problem of javascript: urls which you need to handle. And also remember that html attributes like onclick are actually javascript so your function will have no effect there. You will have to do js escaping. See the OWASP xss prevention cheat sheet. Regarding CSS, avoid putting user data there if you can. It requires a whitelist based key value validation approach.
I'm having the strangest issue with codeigniter. I have a site that has a search feature which displays the person's query in the url so that they can save the url. I make sure that the query text has gone through rawurlencode before I stick it in the url. However, Codeigniter still shoots me to an error page when there's a character in the query that isn't in my permitted_uri_characters configuration.
So even though my browser says /search-results/query/%22samplequery%22, I’m still getting the error about using non-permitted characters.
Is this a bug? I don’t have non-permitted characters in my url. I have a % sign and some numbers (which are all specifically permitted). It’s definitely the permitted_uri_characters setting that’s giving me grief. If I add a quotation mark to it, it allows the %22 query through no problem.
And to be clear, the query is coming from a form as post data, then being encoded in my controller and then redirected to a new page. There’s no way that the permitted_uri_characters is somehow being applied BEFORE it gets encoded.
This is driving me batty, as my only solution at the moment is to open up my permitted_uri_charcters to everything under the sun, which isn't very secure!
Seems like you'd need to add # to the permitted_uri_chars, even if you urlencode the email before sending it to site_url(). Might urldecode it before watching up the characters ...
Percent Symbol in CodeIgniter URI
Here is a post more specific to your problem.
http://sholsinger.com/archive/2009/04/passing-email-addresses-in-urls-with-codeigniter/
I tried with the permitted_uri_chars, and finally ended up passing the email as a query string (?email=bla#bla.com), not even urlencoding it. Works great :)
Could it be URL encoding the %20 to a " before codeigniter verify' it? How about adding that to the permitted char's list.
I have my own solution for this, it's messy and not optimal, but it works. You can create a table where you store (search_string , url_title).
Every time you perform a search, save the string, generate an url_title() and save it to the database. This way, you can redirect your user to a safe url, without missing the initial search.
I know somebody is gonna yell at me for this solution. But, if your site is small, and your traffic keeps low, it's a valid solution.
Am wondering if the combination of trim(), strip_tags() and addslashes() is enough to filter values of variables from $_GET and $_POST
That depends what kind of validation you are wanting to perform.
Here are some basic examples:
If the data is going to be used in MySQL queries make sure to use mysql_real_escape_query() on the data instead of addslashes().
If it contains file paths be sure to remove the "../" parts and block access to sensitive filename.
If you are going to display the data on a web page, make sure to use htmlspecialchars() on it.
But the most important validation is only accepting the values you are expecting, in other words: only allow numeric values when you are expecting numbers, etc.
Short answer: no.
Long answer: it depends.
Basically you can't say that a certain amount of filtering is or isn't sufficient without considering what you want to do with it. For example, the above will allow through "javascript:dostuff();", which might be OK or it might not if you happen to use one of those GET or POST values in the href attribute of a link.
Likewise you might have a rich text area where users can edit so stripping tags out of that doesn't exactly make sense.
I guess what I'm trying to say is that there is simple set of steps to sanitizing your data such that you can cross it off and say "done". You always have to consider what that data is doing.
It highly depends where you are going to use it for.
If you are going to display things as HTML, make absolutely sure you are properly specifying the encoding (e.g.: UTF-8). As long as you strip all tags, you should be fine.
For use in SQL queries, addslashes is not enough! If you use the mysqli library for example, you want to look at mysql::real_escape_string. For other DB libraries, use the designated escape function!
If you are going to use the string in javascript, addslashes will not be enough.
If you are paranoid about browser bugs, check out the OWASP Reform library
If you use the data in another context than HTML, other escaping techniques apply.
I'm new with freemarker, I need know about this problem too choose it or not, I will strip XSS by myself but I don't know are other features of freemarker safe when site allow user edit their template?
Oh, goodness no! This is basically equivalent to allowing the user to evaluate arbitrary code. Removing XSS after the fact only removes one potential vulnerability. They'll still be able to do plenty of other things like manipulate POST parameters or perform page redirects.
John is right. And letting the user actually edit freemarker templates themselves seems odd. If you are outputting user input again (like displaying the search term on the results page) I'd suggest using the using the ?html string built-in, it'll save you from the most rudimentary xss attacks (e.g. "you searched for '${term?html}'").
So as others said, it's not safe. However, if those users are employees at your company or something like that (i.e., if they are easily accountable for malevolent actions) then it's not entirely out of question. For more details see: http://freemarker.org/docs/app_faq.html#faq_template_uploading_security