global_xss_filtering problem with inline style attribute #1570

Closed
linuxjuggler opened this Issue Jul 4, 2012 · 5 comments

Comments

Projects
None yet
3 participants

hi,
i have installed 2.1.2 and its look like having global_xss_filtering = true; or even applying the xss filtering to an input will remove any inline style attribute for images or div or anything else ..
this is was a problem when using HTML editor inside my app ..

and this is just happened after updating to 2.1.2

thanks

This is because style attribute is considered as an evil one. If you have a look to CI_Security class you will find the function _remove_evil_attributes which takes care to remove any possible dangerous attribute from tags. According to http://ha.ckers.org/xss.html style attribute can be used for XSS attacks.

but this will cause many html editors, like ckeditor and the image plugin, to be broken right ..
so how to solve that other than just extend the security class and rewrite the function

I think it could be possible, instead to blindly remove the style attribute, analyze the attribute value and decide whether or not is the case to remove it. Unfortunately I'm not a regexp ninja and I don't feel enough comfortable in changing this part of code, in particular considering the security implications.

and by the way it just remove the style and keep my tags without anything like this :

<img src="someimageurl.jpg" left:10px;right:0px;" />

while it must remove the whole style attribute //

Contributor

narfbg commented Nov 17, 2012

Don't use the setting, it's not set to FALSE by default for nothing. It's just not suited for everybody.

narfbg closed this Nov 17, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment