Hello All,

There is a site which was written in CI version 1.7.2.

The task is to prevent injection attacks and cross site scripting.

I pretty much read all kinds of information related to it. I tried

-htmlentities
-mysql_real_escape_string
-CI xss_clean
-pregmatch, escape, htmlspecialchars
-CI escape
-strip_tags
-magic_quotes

In the search box, if I type an alert code or writeResponse, it displays all sorts of results from the site and DB.(some don’t work in Chrome but the alerts and everything else works in Firefox and IE)

Please suggest what would be the best way to deal with this.

Thank You

All database access using $this->db is already protected against SQL injections. Scan the code for handwritten queries using $this->db->query(), those will need attention. Ideally, convert them to active record/query builder queries, to benefit from the built-in protection.

As for input, there are two approaches: filter on input or encode on output. CI advocates the first through xss_clean(), I prefer the last, by encoding all data that goes to a view, I don’t like the idea of (automaticly) maiming input which you might need later. Encoding data before sending it to the view also means you don’t have to worry about how variables are handled in your views.

No matter which approach you take, it should be combined with form validation, which should already capture most of the nastyness. So form validation needs to be checked for every form.

If the forms are using form_open() from the form helper, you can enable CSRF protection in the application config file. So do that, and check all views. If they have a hardcoded form tag, change it to use form_open().

Also check if the security key is defined in the config (wasn’t required in 1.7.2), make sure sessions (if used) use the database, and the session cookie is encrypted.

After I incorporate the above -

Will it stop the browser from executing Javascript(Let’s say I input a onmouseover alert string into the search, which unfortunately works in Firefox )?

That input shouldn’t pass correct validation rules on that form field (unless you want to be able to search for javascript code). And if it did, it would be displayed as plain text after submitting the form if you encode all data you send to the view.

So, yes.

Would I use the output class to encode?

The easiest thing you should use would be something like

HTMLEntities

in any view like

but watch out for the encoding (second parameter in htmlentities).

More advanced but also more complex to configure is

HTMLPurifier

which is basically being use the same as htmlentities except that it will be processed differently.

That’s the whole point. I did use these and since these are encode on output - They work fine but for something like -

public void WriteOutput(Response respObj) {  respObj.Write(Request.Form[“someField”]); }

OR

“onmouseover= alert(‘hello’);”

The browser still executes it

So, think that CI form validation would be the best option, maybe?

At what point do you have these items? On a submitted form I guess? Or in your URI?

Basically, since you’re re-displaying form data on a result page you would have to clean it before displaying - no matter where you display it, in the search box or inside a html-paragraph

I tried to enter both examples in a form of one of my apps, and nothing happens.

Both will only be executed if the browser can recognize it as javascript. If it’s in the html stream, or used as a value of an input, nothing will happen. So I wonder what funny things the view is doing.

For encoding I use

The ENT_QUOTES will stop your last example from working in an input tag.

Issue resolved - Using Form Validation