4

$this->input->post('question', TRUE)

If even I add TRUE, it still allows people to add html code. Why is that?

good_evening
  • 21,085
  • 65
  • 193
  • 298

1 Answers1

5

The xss_clean() function does not remove all HTML, it removes/replaces specific things that are considered dangerous, like <script> tags.

http://codeigniter.com/user_guide/libraries/security.html

The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

Someone injecting a <p> tag into your page, while maybe not desired, is not really an effective attack. You'll have to specify what you want to do with it. In many cases, you will want HTML output that has been xss_clean()ed.

It sounds like you want either htmlspecialchars() or strip_tags() (note: these two very different things). If you want to encode the HTML, you can also use CI's html_escape():

echo html_escape($this->input->post('question'));

If you want HTML output and not entities, just use the XSS filter by itself:

echo $this->input->post('question', TRUE);
echo xss_clean($user_input);
Community
  • 1
  • 1
Wesley Murch
  • 101,186
  • 37
  • 194
  • 228
  • So, if I add html_escape, I guess I don't need to add TRUE, right? – good_evening Mar 03 '12 at 22:28
  • 1
    Heh, yes good point. I'm no expert on XSS attacks, and I can't comment on how robust CI's filter is, but I do believe that for encoding, `html_escape()` is enough on it's own. `xss_clean()` would be necessary if you wanted to have actual HTML output, but filter out potentially dangerous parts. – Wesley Murch Mar 03 '12 at 22:32
  • 1
    Check this post out regarding `xss_clean()`: http://stackoverflow.com/a/5346696/398242 Remember to keep in mind that escaping/encoding output is always context dependent - there is no one tool that can handle every job to keep you safe. – Wesley Murch Mar 03 '12 at 22:38