Avoid XSS with BBCode input and HTML output

Question

I'm currently working on a website, where users can write articles with few format possibilities (like bold, italic, list...). I'm using a framework: CodeIgniter.

I'm a beginner, and I've heard some stuff about XSS. I would like to know what do you think about my implementation. I read this topic: What's the best method for sanitizing user input with PHP?

1) The user write his article, format it with BBCode. I'm using SCEditor.

2) When saving it into database, I'm using htmlspecialchars() to filter any suspect HTML tag. Am I supposed to do this when I'm saving data, or displaying data?

3) When I want to display the article on the website (for other uses for example), I convert BBCode tags into HTML tags.

Is it a right way to do it? Am I avoiding XSS?

I am obviously open to suggestions and advices.

Thanks for your answers

score 2 · Answer 1 · answered Jun 19 '13 at 10:07

2

Codeigniter for validation has a property xss which will do all those staff

$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');

check out form validation Codeigniter:

http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html

answered Jun 19 '13 at 10:07

MJ X

8,506
12
74
99

4

I saw that, but according to this topic, it is not enough: http://stackoverflow.com/questions/5337143/codeigniter-why-use-xss-clean – Jun 19 '13 at 10:33

score 2 · Answer 2 · answered Jun 22 '13 at 20:44

2

I "find and replace" using PHP, I don't think it's the most efficient way of doing it though.

<?php
    $malicious = "<script>alert(1)</script>";
    $malicious = str_ireplace("<", "", $malicious);
    $malicious = str_ireplace(">", "", $malicious);
    echo $malicious;
?>

answered Jun 22 '13 at 20:44

user2417012

33
3

I'm aware that this question is old, but it gets quite a few views, so I thought about commenting this answer. It's actually a bad way to do that, you could for example still put XSS in an onload-attribute or something similar. – 1n9i9c7om Apr 14 '14 at 19:55
Alongside @1n9i9c7om, I would like to point out that with this method the user cannot insert the `<` or `>` sign which can be quite annoying. Instead of deleting the character, you could instead replace it with the corresponding HTML entity: `<` or `>`. – Dec 12 '15 at 19:47

score 0 · Answer 3 · answered Jul 27 '13 at 19:33

0

<?php
$malicious = "<script>alert(1)</script>";
$malicious = strip_tags($malicious);
$malicious = htmlentities($malicious, ENT_QUOTES);
echo $malicious;
?>

answered Jul 27 '13 at 19:33

Dibsyhex

119
7

Avoid XSS with BBCode input and HTML output

3 Answers3