xss_clean 删除 tinymce 的格式

Question

In Codeigniter 3.x, if I use $data = $this->security->xss_clean($data); before saving $data to database, it removes all the formatting of TINYMCE Editor and places xss=removed as below:

<span xss=removed><strong>1. Joint pain </strong></span>

As a result, I cannot see font colors, background colors, font size change in the output.

If I remove $data = $this->security->xss_clean($data); before saving $data to the database and implement only following security measures, then formatting works fine:

$data = trim($data);
//$data = $this->security->xss_clean($data);
$data = html_escape($data);
$data = strip_tags($data);

Now it stores the following in the database:

<span style="font-size: 14pt;"><strong>1. Joint pain </strong></span>

I have two questions here:

1. Is the above code sufficient to ensure that the data send to database is fully sanitized and will not allow any attacks. I am using Active Records of Codeigniter for executing SQL.

2. Should I use xss_clean while showing output on the screen like this: echo $this->security->xss_clean(htmlspecialchars_decode($data))

Please help.

Answer 1

The xss_clean function in Codeigniter has been removed in newer versions as it was not the right approach. It tried to do too much but not in a reliable way. It can be replaced with either escaping or filtering the input. This is done either with the HTML escape functions, or a library like HTMLPurifier.

HTML escaping is for when the input is plain text, and you want to insert it into an HTML document. In that case, you can escape the data when outputting it on a page. This can depend on the context of where it's inserted (see OWASP XSS Prevention Cheat Sheet ).

If your input is HTML though, as you get from some editors, then instead you want something like HTMLPurifier . This can be applied both before saving the data to the database, and when displaying the data. This filters the HTML against a whitelist of allowed elements, so some formatting can be allowed while preventing scripts.