Codeigniter Filter Output for URL Use

Question

I may be thinking too much on this, but let's say I have a Website field on database. I've used strip_tags to strip all HTML tags. But if the user inputs this

javascript:alert('test')

It will get passed since it's a string. But then, the HTML will generate

<a href="<?php echo prep_url($website);?>">Website</a> //the code in view file
<a href="javascript:alert('test')">Website</a> //bad

and the Javascript will execute if clicked. Notice too the prep_url doesn't work.

Any suggestion? I've looked at HTMLPurifier, but it is quite big on size and I don't really want to do some major change.

Thanks

Answer 1

You shouldn't use strip_tags if you expect a url, you should validate the URL and probably urlencode it. Here's one way with filter_var:

$url = "javascript:alert('test')";
var_dump(filter_var($url, FILTER_VALIDATE_URL));
// bool(false)

$url = "http://stackoverflow.com/questions/10918132";
var_dump(filter_var($url, FILTER_VALIDATE_URL));
// string(43) "http://stackoverflow.com/questions/10918132"

So if filter_var($user_input, FILTER_VALIDATE_URL) is FALSE, don't accept the user input. This should negate the need for CI's xss_clean() although you may want to run it anyways when you put it in the HTML attribute. You may need to run prep_url on the input before validating if you don't require the user to enter the http:// part.

There are many ways to validate a URL, just pick one you like.

Answer 2

Codeigniter has an xss filter class. It's not the best thing in the world, but it filters most common problems. Security class

You can make codeigniter filter all POST and GET by changing the option in your config file, or you can ask to filter manually by doing this.

$this->input->post('whatever',TRUE); //Note the TRUE