Codeigniter removes inline style from html input

Question

Taking a look at the following code:

$this->input->post('title', FALSE);

I have manually disabled XSS filtering.

Now lets see some examples:

<p BAD_ATTR_KEY="BAD_ATTR_VAL">Salam</span>

RETURNS:

<p BAD_ATTR_KEY="BAD_ATTR_VAL">Salam</span>

---

<p style="color: red;">Salam</span>

RETURNS:

<p  red;">Salam</span>

Any ideas how to disable this behavior so that the site admins will be able to easily assign different inline styles to any element on the page?

---

UPDATE:

I have enabled global XSS filtering in application/config/config.php because I need it all the time.

I don't need XSS filtering only when trusted admins are posting their content from back end. For that purpose I have manually disabled XSS filtering as mentioned in my code above. And I think that the manual config should override default config estated at config.php, so there should be no problem with that.

Answer 1

Look not the solution but the workaround.

For me, I cannot disable global XSS filtering for security reasons.

So, I did this.

<h1 stile="color:red;">Red</h1>

Note that the style is written as stile.

Which is accepted even with $this->input->post('body', TRUE);

Now, I have used str_replace("stile", "style", $body); in frontend.

Maybe not the best solution but a working workaround.

Answer 2

I spent around 5hrs at this problem and find the simple solution. First you need to find the security class, which is located in your project/application/core and if any codeigniter cms used then in project/system/codeigniter/core/security

There it will be a function with the name '_remove_evil_attributes'(protected method) In this function there will be a line $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); if you want to allow style attribute in your input elements or textareas then you need to remove the 'style' from here to allow style attributes to work properly, otherwise they will automatically be replaced with this line of code written in this function below

$str = preg_replace('/<(/?[^><]+?)([^A-Za-z<>-])(.?)('.implode('|', $attribs).')(.?)([\s><])([><]*)/i', '

So beware of this thing, don't waste your precious time as i did. Haisum Thanks

Answer 3

I have found what my problem was according to Asad's comment.

Even now that I had manually disabled XSS filtering using:

$body = $this->input('body', FALSE);

, that was still being removed because I had enabled XSS filtering in application/config/config.php.

I don't really know why it couldn't be overrided using the second parameter anyway.