Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Xss major vulnerabilities #331
added a commit
Oct 22, 2015
I did start a new branch to fix that issue. If you urgently need it then you can have a hot fix of just filter all the inputs from here: cb82d94 of course this branch it is not completed yet as it needs to have a config file and some other validation checks. I just published this change in case someone needs that urgently.
As suggested by codeigniter user guide :
Sometimes, we need that "special" character that filtered by execute xss_clean on input (for example: password field)
Because this is CRUD library, we cant determine which input need this, so we shouldnt do xss_clean globally.
To prevent XSS we need to do html_escape in output field (function change_list, get_add_input_fields, get_edit_input_fields, get_read_input_fields). This is also make sure ' " ' from data dont break input tag.
@agung-wete thanks for that and to be honest I like that this is now a thread for brainstorming :)
I actually agree with what Codeigniter is saying to not have it globally. That's why the fix is half way through and it is not completed yet.
@agung-wete first of all although grocery CRUD is depended on Codeigniter the library is built with that way so one day will NOT be Codeigniter depended at the future. So currently the only libraries that grocery CRUD is using from CI are:
Nothing more than that (not even the session or the layout is not in use)
Second xss_clean of Codeigniter is really really slow (especially for big texts). That's the main reason that I don't want to use it and I am trying to find another solution.
I will update you for any changes that I will make to the code. The code is not yet completed yet and new ideas are more than welcome :)
added a commit
Sep 28, 2016
There is not currently any documentation. It is as easy as setting the config file grocery_crud_xss_clean into true.
More specifically the file is at: application/config/grocery_crud.php
The main reason I did that is that in case you will need to skip the xss_clean validation only for 1 of your CRUD, you can simply do this:
before calling the grocery CRUD.
Also have in mind (I am actually copying the comments at the config) that:
You can basically see the change logs (with the urls) here: http://www.grocerycrud.com/documentation/change_logs