#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,670
    Rep Power
    171

    An issue with $_POST


    Hi I use ckeditor to edit text. For example this.

    The problem is with the colour! When I change the colour, CK editor successfully changes it no problems. But when I submit the form, it shows the posted value as <span> and not <span style="color:#A52A2A"> !

    What is going on ?

    If you post something you will see this:
    PHP Code:
    echo $_POST['content']; 
  2. #2
  3. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    The problem is with how you are processing it, using firefox's live http headers plugin I can see that the style is successfully applied to the span and sent in the post request:

    Code:
    http://thetransporter.com.au/index.php/edit/do_edit
    
    POST /index.php/edit/do_edit HTTP/1.1
    Host: thetransporter.com.au
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: http://thetransporter.com.au/index.php/edit
    Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2241b14da5afed69be15cec1a7a981072b%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22213.123.137.121%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A72%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A21.0%29+Gecko%2F20100101+Firefox%2F21.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1372681409%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D159ee74233b68dba0fd052efa6c65041
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1067
    content=%3Cp%3EHI%3B%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3EOUR+FLEET+HAS+4+SEATERS%2C+7+%3Cspan+style%3D%22color%3A%23FFD700%22%3ESEATERS%3C%2Fspan%3E%2C+9+SEATERS+AND+11+SEATER+LIMOUSINE.%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0APLEASE+RING+TO+TALK+TO+ONE+OF+OUR+FRIENDLY+OPERATOR+WITH+OBLIGATION+FREE+QUOTE+AND+WE+ARE+HERE+TO+HELP+YOU+24%2F7%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A0426294545%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3ETYPES+OF+SERVICE%3Cbr+%2F%3E%0D%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0AAIRPORT+TRANSFER%2C%3Cbr+%2F%3E%0D%0AWEDDING%2C%3Cbr+%2F%3E%0D%0AFORMALS%3Cbr+%2F%3E%0D%0APARTY%2C%3Cbr+%2F%3E%0D%0AANNIVERSERIES%3Cbr+%2F%3E%0D%0ATRANSPORT+SERVICE%2C%3Cbr+%2F%3E%0D%0APARCEL+PICK+UP+AND+DROP+OFF%3Cbr+%2F%3E%0D%0AFUN+LIMO+RIDE%2C%3Cbr+%2F%3E%0D%0ACAR+WITH+CHAUFFER+DRIVER%2C%3Cbr+%2F%3E%0D%0ACHAUFFEUR+HIRE%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%3Ca+href%3D%22http%3A%2F%2Falt.onlinelimosystem.com%2Fbookings%2Fstep1%2Fnew%22+target%3D%22_blank%22%3EPLEASE+CLICK+HERE+FOR+INSTANT+QUOTE%3C%2Fa%3E.%3C%2Fp%3E%0D%0A
    HTTP/1.1 200 OK
    Date: Mon, 01 Jul 2013 12:24:00 GMT
    Server: Apache
    X-Powered-By: PHP/5.2.17
    Content-Length: 665
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html
    I changed the colour of the word SEATERS to #FFD700, so this is the important part:

    Code:
    %3Cspan+style%3D%22color%3A%23FFD700%22%3ESEATERS%3C%2Fspan%3E
    if this is within CI, then CI might be stripping attributes as part of an anti XSS process

    Comments on this post

    • ManiacDan agrees : Nice detective work
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,670
    Rep Power
    171
    Originally Posted by Northie
    The problem is with how you are processing it, using firefox's live http headers plugin I can see that the style is successfully applied to the span and sent in the post request:

    Code:
    http://thetransporter.com.au/index.php/edit/do_edit
    
    POST /index.php/edit/do_edit HTTP/1.1
    Host: thetransporter.com.au
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    DNT: 1
    Referer: http://thetransporter.com.au/index.php/edit
    Cookie: ci_session=a%3A5%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2241b14da5afed69be15cec1a7a981072b%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A15%3A%22213.123.137.121%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A72%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%3B+WOW64%3B+rv%3A21.0%29+Gecko%2F20100101+Firefox%2F21.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1372681409%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3B%7D159ee74233b68dba0fd052efa6c65041
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 1067
    content=%3Cp%3EHI%3B%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3EOUR+FLEET+HAS+4+SEATERS%2C+7+%3Cspan+style%3D%22color%3A%23FFD700%22%3ESEATERS%3C%2Fspan%3E%2C+9+SEATERS+AND+11+SEATER+LIMOUSINE.%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0APLEASE+RING+TO+TALK+TO+ONE+OF+OUR+FRIENDLY+OPERATOR+WITH+OBLIGATION+FREE+QUOTE+AND+WE+ARE+HERE+TO+HELP+YOU+24%2F7%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A0426294545%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3ETYPES+OF+SERVICE%3Cbr+%2F%3E%0D%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0AAIRPORT+TRANSFER%2C%3Cbr+%2F%3E%0D%0AWEDDING%2C%3Cbr+%2F%3E%0D%0AFORMALS%3Cbr+%2F%3E%0D%0APARTY%2C%3Cbr+%2F%3E%0D%0AANNIVERSERIES%3Cbr+%2F%3E%0D%0ATRANSPORT+SERVICE%2C%3Cbr+%2F%3E%0D%0APARCEL+PICK+UP+AND+DROP+OFF%3Cbr+%2F%3E%0D%0AFUN+LIMO+RIDE%2C%3Cbr+%2F%3E%0D%0ACAR+WITH+CHAUFFER+DRIVER%2C%3Cbr+%2F%3E%0D%0ACHAUFFEUR+HIRE%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%3Ca+href%3D%22http%3A%2F%2Falt.onlinelimosystem.com%2Fbookings%2Fstep1%2Fnew%22+target%3D%22_blank%22%3EPLEASE+CLICK+HERE+FOR+INSTANT+QUOTE%3C%2Fa%3E.%3C%2Fp%3E%0D%0A
    HTTP/1.1 200 OK
    Date: Mon, 01 Jul 2013 12:24:00 GMT
    Server: Apache
    X-Powered-By: PHP/5.2.17
    Content-Length: 665
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html
    I changed the colour of the word SEATERS to #FFD700, so this is the important part:

    Code:
    %3Cspan+style%3D%22color%3A%23FFD700%22%3ESEATERS%3C%2Fspan%3E
    if this is within CI, then CI might be stripping attributes as part of an anti XSS process
    Beauty. Thanks Northie
    PHP Code:
    /*
    |--------------------------------------------------------------------------
    | Global XSS Filtering
    |--------------------------------------------------------------------------
    |
    | Determines whether the XSS filter is always active when GET, POST or
    | COOKIE data is encountered
    |
    */
    $config['global_xss_filtering'] = FALSE
  6. #4
  7. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4123
    This maybe a moot point, but I feel that this is a design flaw of CI.

    I can see that CI is attempting to globally protect things; but this has, in this case, gone against the innocent business logic of the application.

    Is the best practice mantra not to escape data for it's intended purpose?

    Thinking this through, we wouldn't want to use htmlentities() on this content as it is supposed to be html, so how do we protect against script injection? regex? strip tags?...finding an onclick="" may or may not be a realistic option.

    My thoughts always come back to something like markdown - and store the semantics of what you MEAN in the database. One can safely use htmlentities on the markdown'd content before translating it safely to HTML on its way to the browser.
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    we've already realized several times that the CI security system sucks. This is yet another example. Looks like they made their own "magic quotes" save that they target XSS instead of SQL injections.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo