PhpRiot
News Archive
PhpRiot Newsletter
Your Email Address:

More information

CodeIgniter 2.0.2: Cross-Site Scripting (XSS) Fixes And Recommendations

Note: This article was originally published at Planet PHP on 10 May 2011.
Planet PHP


As many of my readers know, I have a keen dislike for regular expression based html sanitisation. Regular expressions simply do not understand html's nested nature and the numerous possible html/CSS standards it must abide by. The result is that far too many developers try to program this understanding (and unfortunately their lack of comprehensive understanding) into home grown sanitisers using as little code and tests as possible.A It's a horrendous and reprehensible practice that has created a large field of so-called sanitisers and XSS cleaners which are riddled with obvious vulnerabilities despite all their sincere and utterly false claims to the contrary. The perception of safety they create is almost always a fantasy. As I've said before, this serves only one purpose - to lend support to claims that PHP is insecure. And why disagree given PHP's prominence on the internet and this continuing refusal by developers to just do the right thing and use a secure solution that really does work?

Since I've completed my research into a broad set of these, for now, I'll close with a final example given its widespread usage, confusing documentation and lack of a clear disclosure to date of security vulnerabilities.

On April 7, EllisLab released CodeIgniter 2.0.2 as a security maintenance release prompted by a report I sent to EllisLab shortly before St. Paddy's Day (around mid-March). That report indicated the expected response and my own disclosure policy. This blog post is being published in accordance with those. The disclosure to date of the vulnerabilities afflicting previous CodeIgniter versions is mentioned only in the CodeIgniter 2.0.2 news release (from April 7) as follows:

An update to both CodeIgniter Reactor and CodeIgniter Core (v 2.0.1) was released today. This is a security maintenance release and is a recommended update for all sites. The security fix patches a small vulnerability in the cross site scripting filter.

EllisLab's news release for CodeIgniter 2.0.2 makes mention of aoa small vulnerabilitya. This small vulnerability is mentioned no where else (not even the actual changelog for 2.0.2). In reality, I reported seven distinct vulnerabilities across two classes. These vulnerabilities might allow an attacker to inject arbitrary html, CSS or Javascript, i.e. Cross-Site Scripting (XSS) into an application's output. It would be nice if, in the future, EllisLab aim for more accuracy in their news releases and disclosed both the number and nature of the security vulnerabilities fixed in their release changelogs.

Users of CodeIgniter 2.0.x and 1.7.x are strongly urged to upgrade to CodeIgniter 2.0.2 (or later) as soon as possible to avail of these critical security fixes.

In addition, users are urged to follow some basic steps when writing or updating CodeIgniter applications:

  1. Escape ALL data being injected into views using PHP's htmlspecialchars() function, remembering to pass the character encoding being used as the third parameter. A helper function may be useful to keep the typing to a minimum.
  2. Use htmlPurifier when you need to sanitise html data or user input such as html comments, html emails, or RSS/Atom content (basically any html you do not explicitly generate yourself!).
  3. Ensure that all html pages are served with a valid Content-Type HTTP header and/or a meta tag equivalent which also declares the charset for that page. Note that html5 offers a separate charset element for this purpose. This helps prevent character encoding based XSS attacks by informing the browser of the correct character en

Truncated by Planet PHP, read more at the original (another 1044 bytes)