codeigniter global_xss_filtering [英] Codeigniter global_xss_filtering

问题描述

在我的codeigniter配置我有 $ config ['global_xss_filtering'] = TRUE; 。在我的管理部分我有一个ckeditor生成前端内容。

In my codeigniter config I have $config['global_xss_filtering'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content.

在编辑器中输入和放置的所有内容工作正常，图像显示漂亮，html是工作。除闪存外。每当我切换到html模式并粘贴一个youtube代码片，它会被转义，代码在首页显示，而不是显示一个youtube电影。

Everything that is typed and placed inside the editor works fine, images are displayed nice, html is working. All except flash. Whenever I switch to html mode and paste a youtube code piece it is escaped and the code is visible on the frontpage instead of showing a youtube movie.

如果我设置 $ config ['global_xss_filtering'] = FALSE; youtube代码传递像它应该。这是因为'object'，'embed'等被CI标记为淘气，因此被转义。

If I set $config['global_xss_filtering'] = FALSE; the youtube code is passed like it should. This is because 'object', 'embed' etc are flagged as "naughty" by CI and thus escaped.

如何绕过这个控制器方法的xss过滤

How can I bypass the xss filtering for this one controller method?

推荐答案

默认关闭它，然后为真正需要它的地方启用它。

Turn it off by default then enable it for places that really need it.

例如，我已经关闭所有的控制器，然后启用它的评论，页面等。

For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.

你可以做的事是在PyroCMS中创建一个MY_Input（或者在CI 2中的MY_Security），并且使用精确的副本覆盖xss_clean方法，减去对象| embed |正式表达式的一部分。

One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.

http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php

这是一个地狱

也许我们可以创建一个配置选项来列出2.0的坏元素？

Perhaps we could create a config option could be created listing the bad elements for 2.0?

这篇关于codeigniter global_xss_filtering的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！