get incomplete POST data after form submit

Question

i have been working on this problem for hours. I have a form, with a textarea. I use the nicEdit texteditor. It replaces the textarea and shows a nice text editor, because i want my users to add some style to their content.

I use codeIgniter (PHP), and i use the form_helper to create the form. Also i use the form_validation for ss-validation and jquery validation for cs-validation

When i click submit, the form submits seemingly fine. I say this because i use fiddler (an http logger) and i see my text with the right html tags wrapped around it by the text editor.

but when i get the @_pots data in the view, somehow some part of the tags have been removed.

How fiddler traces the HTTP call and the submitted form data (seems correct)

Hello SO, <br><br>
<span style="font-weight: bold;">the following line should be bold</span><br><br>
<span style="font-style: italic;">the following line should be italic</span><br><br>
<span style="text-decoration: underline;">the following line should be underlined</span><br>

How my html looks in my view and in my print_r result from my @_post data

Hello SO,<br><br>
<span bold;"="">the following line should be bold</span><br><br>
<span italic;"="">the following line should be italic</span><br><br>
<span underline;"="">the following line should be underlined</span><br>

It looks like somehow, when i get my data back, it removes the style="font-weight

Does $_post do anything with special characters?!?! has someone experienced similar issues with this? all responses are greatly appreciated.

Do you have any validation rules (either client-side via jQuery validation, or server-side via CodeIgniter's form_validation library) that could be affecting the content? It's almost impossible to say for sure without seeing more code. — Colin Brock, May 17 '12 at 21:19
yeah i do, i have some validation rules..but for testing purposes i turned the rules off...and still had the same problem. I have been testing further and i have some updates. please stand by — Dogla305, May 17 '12 at 21:20
Also, make sure that the security class isn't doing anything funky with the html (to prevent xss). http://codeigniter.com/user_guide/libraries/security.html — Jess, May 17 '12 at 21:26
like @mazzzzz says.. but more specifically, are you using this in your config.: `$config['global_xss_filtering'] = TRUE;` ? ...or else (manually) this: `$this->input->post('yourInputName', TRUE)` ? If so, try one of these instead, and see what you get: in your config.: `$config['global_xss_filtering'] = FALSE;`, or, `$this->input->post('yourInputName', FALSE)` — govinda, May 17 '12 at 22:01
I think i found the cause of the problem... in Chrome for example, it wraps the bold lines in tags...only in firefox it wraps them in some sort of stupid and i found that firebug adds this line to the code: _moz_dirty="" which MAY cause the problem?!?! sorry for the long wait, my internetconnection was gone for an hour. — Dogla305, May 17 '12 at 22:45
@govinda is set that config item to FALSE, and no luck, still rapes style attribute :( thank you for your response, please read my previous comment about this NOT happening in chrome... — Dogla305, May 17 '12 at 22:51
Seems, as per csotelo's answer, and your reply, that you're all set.. so I won't look into it further, unless you show more problem.. but just FYI, this is what was happening to me, when I *thought* I was losing style attributes because of my inline HTML WYSIWYG editor: http://stackoverflow.com/questions/10290121 and how I solved it: http://stackoverflow.com/questions/3788476/ If you let end users input styling that lands on a page live to the world, they could do bad things, like e.g. these things: http://stackoverflow.com/a/5209050/530006 (see the upper part of dleavitt's posted code.) — govinda, May 17 '12 at 23:56

score 0 · Accepted Answer · answered May 17 '12 at 21:42

0

You need extend the CI_Security class from Codeigniter and comment/remove/modify this line:

/*
if(in_array($_SERVER['REQUEST_URI'],$allowed))
        {
            $evil_attributes = array('on\w*', 'xmlns');
        }
        else
        {
            $evil_attributes = array('on\w*', 'style', 'xmlns');
        }
*/

answered May 17 '12 at 21:42

csotelo

1,453
2
28
43

I pass style attributes through CI, no problem, and I did not extend the CI_Security class like this. – govinda May 17 '12 at 22:03
@csotelo your solution solved my problem. In my version of codeIgniter, it was the function called _remove_evil_attributes() i removed style from the array. Do i now have a security risk? can you maybe explain why codeigniter would disallow a style attribute? – Dogla305 May 17 '12 at 22:54
I think the problem is in the configuration file: $config['global_xss_filtering'] = TRUE; There may be a security risk, so I mentioned you to comment / delete / modify the extension of the library according to your needs. – csotelo May 18 '12 at 13:01

get incomplete POST data after form submit

1 Answers1