Codeigniter - Disable XSS filtering on a post basis

Question

I'm trying to set up a CMS on the back of a site but whenever post data has a <a href=... in it the post data gets scrapped.

I've got $config['global_xss_filtering'] = TRUE; in config

My question is there a way of disabling xss filtering for one item?

e.g.

$this->input->post('content', true); - turns it on, but how to turn it off?

Thanks everyone.

PVS

Answer 1

If you want to change the default behavior of the post() method, you can extend the core Input library, or if you're lazy you can just change line 278 (or so) of the Input library to read:

/**
* Fetch an item from the POST array
*
* @access   public
* @param    string
* @param    bool
* @return   string
*/
function post($index = '', $xss_clean = TRUE)
{
    return $this->_fetch_from_array($_POST, $index, $xss_clean);
}

The only difference here is that I've changed the $xss_clean variable to TRUE instead of FALSE. Now you can turn off global XSS filtering and it will automatically filter inputs unless you specify false as the second parameter in your call to the Input library's post() method. Just one method down is the get() method, and you can change that in the same way.

However, if I were you, I'd just extend the native library, because there's a good chance you'll have forgotten about this by the time you update CodeIgniter, and then you'll suddenly be wondering why you're getting XSS attacked. That would look like this:

class MY_Input extends CI_Input {

    function My_Input()
    {
        parent::CI_Input();
    }

    function post($index = '', $xss_clean = TRUE)
    {
        return parent::post($index, $xss_clean);
    }
}

You can learn more about extending libraries here:

http://codeigniter.com/user_guide/general/creating_libraries.html

Answer 2

If you want to keep global xss_clean enabled and override on only certain cases, you can extend the Input library to keep a clone of $_POST for providing raw data when asked:

<?php if (!defined('BASEPATH')) exit('No direct access allowed.');
class MY_Input extends CI_Input {

public function __construct() {
    $this->_POST_RAW = $_POST; //clone raw post data 
    parent::__construct(); 
}

public function post($index = null, $xss_clean = TRUE) { 
    if(!$xss_clean){ //if asked for raw post data -eg. post('key', false)-, return raw data. Use with caution.
        return $this->_POST_RAW[$index];
    }
    return parent::post($index, $xss_clean); 
    }
}
?>

This way you can use $this->input->post('mydata', FALSE) to retrieve un-sanitized raw post data even if xss_clean is enabled globally.

Answer 3

i defined

global $mypost;
$mypost=$_POST;

in index.php of my root cms

then anywhere i can the global variable like

global $mypost;

$var=isset($mypost["field"])? $mypost["field"]:"";

whenever i need post without filter.

worked for me hope it helps.

Answer 4

In my case, treeface's solution doesn't work, but i found another way. I made MY_Input with _sanitize_globals() and I added if construction in place where is sanitizing post data.

// Clean $_POST Data
if (is_array($_POST) AND count($_POST) > 0) {
    foreach ($_POST as $key => $val) {
        if($this->_clean_input_keys($key) != 'my_none_sanitize_field')
        $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
    }
}

Answer 5

working with CI 2.2 I think that the solution from treeface will leave input->get(), input->cookie() etc not being xss_cleaned. (we use get in oauth requests etc). The global config change stops them being escaped by the constructor and the core class still defaults xss_clean to FALSE on these methods...

I have basically implemented the same solution across more methods.

class MY_Input extends CI_Input {

    /* fixes to allow xss_clean to be disabled on a per field basis
    * [ e.g. tinymce html content with style / class / event attributes ]
    * initial ref : http://stackoverflow.com/questions/3788476/codeigniter-disable-xss-filtering-on-a-post-basis
    * this is based on CI 2.2
    * the above (stackoverflow) solution only updates the post method - which means all the rest ( get, get_post, cookie, server, request_headers, get_request_header)
    * NB : we need GET to allow oauth type activities !
    *
    *   1 - change the global config to xss_clean = false [ otherwise the constructor will 'xss_clean' everything before we have a chance to say no ! ]
    *   2 - make all of methods that take the xss_clean parameter use TRUE as default value
    *   3 - we can now pass the second parameter in as FALSE if we do not want to xss_clean
    */

    function get($index = '', $xss_clean = TRUE)
    {
        return parent::get($index, $xss_clean);
    }

    function post($index = '', $xss_clean = TRUE)
    {
        return parent::post($index, $xss_clean);
    }

    function get_post($index = '', $xss_clean = TRUE)
    {
        return parent::get($index, $xss_clean);
    }

    function cookie($index = '', $xss_clean = TRUE)
    {
        return parent::cookie($index, $xss_clean);
    }

    function server($index = '', $xss_clean = TRUE)
    {
        return parent::server($index, $xss_clean);
    }

    function request_headers($xss_clean = TRUE)
    {
        return parent::request_headers($xss_clean);
    }

    function get_request_header($index, $xss_clean = TRUE)
    {
        return parent::get_request_header($index, $xss_clean);
    }

}

hope this is of some help to someone

Answer 6

Yes, the extension to Input with the post method replacement was very useful, as was the astute reader who notice that it should be return parent::post($index, $xss_clean). I was getting errors and didn't think about that obvious error. Fixed it and I'm off and running.

We're using it to escape post data for use in sql statements. Although CI's db methods are nice, we have some large sql statements that are easier to code by hand.

Answer 7

you can temporarily turn it off

$this->config->set_item('global_xss_filtering', false);

$c = $this->input->post('content'); then turn it back on..

$this->config->set_item('global_xss_filtering', true);