I am using input->post to get data in my codeigniter project. I was assuming that this will automatically filter quotes and i don't need to use addslashes() / htmlspecialchars() functions.
But it don't check for quotes.
I tried also to edit core>input.php but didn't help. Enabling XXS in config also don't help.
Suggest me easy way to filter quotes so that I don't have to edit in all my pages.
the xss cleaner lives in system/libraries/Security.php in a method called xss_clean()
id say your best bet is to extend this class (i.e. create a application/libraries/MY_Security.php)
then override this method with one which also removes quotes.
Related
I have been using thymeleaf th:onclick attribute to call javascript function with parameters as below
th:onclick="|myFunction('${parameter1}')|"
But with thymeleaf 3.1.10 this has been removed. and they are suggesting to use th:data attribute.
I however found workaround on as below and both of them are working perfectly.
th:attr="onclick=|myFunction('${parameter1}')|"
th:onclick="#{myFunction('${parameter1}')}">
Now i am not sure if these workarounds are correct way to do things and if yes which one is the better way.
The first will work like you want -- however, you are bypassing the the security restriction and now your pages are vulnerable to javascript injection (which is the original reason this change was made).
The second one just plain doesn't work. It doesn't expand out the variable ${parameter1}, instead just encoding it as a url like this:
onclick="myFunction?$%7Bparameter1%7D"
You really should be doing it as shown on the page.
th:data-parameter1="${parameter1}" onclick="myFunction(this.getAttribute('data-parameter1'));"
My context path is / and I'm adding locales directly as part of the path: /de/index.html.
Now I'm facing the problem that th:href="#{/login.html}" will resolve to /login.html instead of /de/login.html.
I already tried making a Filter and an Interceptor like they did it here: https://stackoverflow.com/a/23847484/1163457
But it still won't append de/ after the context path.
Writing my own dialect and attribute processors would be a solution, but isn't there any better one?
Why not expose a model attribute for the locale (e.g. curLocale) and redefine all your urls like
th:href="#{/${curLocale}/login.html}"
Thymeleaf allows other expressions inside url expressions themselves.
Locale information is easily accessible either as a method parameter or by calling RequestContext.getLocale()
I found a clean and good solution myself after hours of step debugging:
https://stackoverflow.com/a/60103777/1163457
CodeIgniter provides a couple of convenient APIs for XSS filtering.
'global_xss_filtering' in config.php.
'xss_clean' rule for individual fields, when using the form validation library.
If you use this feature, does it avoid the need to escape fields when outputting them?
There are some situations where xss_clean will not protect you. Issue 470 includes this example:
public function index()
{
$name = $this->security->xss_clean('hover me" onmouseover=alert("XSS2") "');
echo '</div>Name:<input value="'.$name.'">';
echo '</body></html>';
}
The response from developers was that this is by design, and to suggest that $name should have been escaped using form_prep().
If you use set_value('field-name', 'default') in order to preserve user input when a form fails validation), that will ... attempt to call form_prep() for you. The caveat is that if you don't have the form validation library loaded, it won't escape the 'default' parameter. (Issue 1781, fixed in 3.0-dev).
If you are running the current 3.0-dev, then form_prep() is more specific about which characters it escapes. It should avoid XSS either way; it just has unexpected results in some situations. E.g. if you try to enter a literal "&" in 3.0-dev, and then the form fails validation, the field value will change to & without warning. This change was an attempt to work around problems with double-escaping (issue 1953).
I am trying to build a Search with Pagination in Codeigniter and would love some help with it.
So far, I've realized that I can not use BOTH url segments and query strings together. Using only query strings produces very ugly URLs.
I understand that Codeigniter destroys the GET and I'm trying to put it back in. Ergo... if I place this in the constructor of the search controller, will my problems be solved?
parse_str(substr(strrchr($_SERVER['REQUEST_URI'], "?"), 1), $_GET);
As in, if it works for me, is there anything I need to be aware of security wise?
So far, I've realized that I can not use BOTH url segments and query strings together.
Sure you can. Try this in your config:
$config['uri_protocol'] = "PATH_INFO";
That should get things started. Now, since CI abandons and empties the $_GET variable, you need to repopulate it like this:
parse_str($_SERVER['QUERY_STRING'],$_GET);
Now the only real concern here is that, if you have global XSS filtering on, you should know that you just manually parsed the query string into the global $_GET variable. This means you haven't passed it through any XSS filters. In CI 1.x you can access the filter through the input library like this:
$myvar = $this->input->xss_clean($_GET['myvar']);
In CI 2.x you do it through the security library like this:
$myvar = $this->security->xss_clean($_GET['myvar']);
Of course, it goes without saying that you can extend the Controller class to have a get() method that does all this automatically such that you can do this:
$myvar = $this->get('myvar');
I'm having a little trouble with a CodeIgniter route when there is a query (stuff after the ?) in the URI. I know it is good practice to replace queries with routes in CI, but I'm importing in a premade messageboard that already does everything with queries. This is my route:
$route['messageboard/:any'] = "messageboard/index";
Any in this case refers to a script name. So if it's messageboard/admin.php, I have it load a view that loads my premade messageboard's script "admin.php". It's working just fine if I do messageboard/admin.php. It does fine if I do messageboard/admin.php?. If I put a parameter into the query, however, the route won't correctly send the user to the messageboard controller, and instead sends them to a 404. Does anyone have any ideas on how to make this work? I would be eternally grateful. Thanks!
Okay guys, I solved it. I needed to change three things. The first was mtvee's suggestion, which lets it read query strings. The second one you're going to want to change the $config['permitted_uri_chars'] in the config file to include an equals sign, since it starts off disabled and all query strings will be of the for ?a=34 or something like that. The third is you need to go to $config['uri_protocol'] and change it from AUTO to PATH_INFO. Once I did those, it worked.
I'm sure the syntax is:
$route['messageboard/(:any)'] = "messageboard/index"; //<-- notice brackets
and not
$route['messageboard/:any'] = "messageboard/index";
I believe CI doesn't do GET out of the box. Check out Enabling Query Strings here http://ellislab.com/codeigniter/user-guide/general/urls.html