codeigniter global_xss_filtering [英] Codeigniter global_xss_filtering
问题描述
在我的codeigniter配置我有 $ config ['global_xss_filtering'] = TRUE;
。在我的管理部分我有一个ckeditor生成前端内容。
In my codeigniter config I have $config['global_xss_filtering'] = TRUE;
. In my admin section I have a ckeditor which generates the frontend content.
在编辑器中输入和放置的所有内容工作正常,图像显示漂亮,html是工作。除闪存外。每当我切换到html模式并粘贴一个youtube代码片,它会被转义,代码在首页显示,而不是显示一个youtube电影。
Everything that is typed and placed inside the editor works fine, images are displayed nice, html is working. All except flash. Whenever I switch to html mode and paste a youtube code piece it is escaped and the code is visible on the frontpage instead of showing a youtube movie.
如果我设置 $ config ['global_xss_filtering'] = FALSE;
youtube代码传递像它应该。这是因为'object','embed'等被CI标记为淘气,因此被转义。
If I set $config['global_xss_filtering'] = FALSE;
the youtube code is passed like it should. This is because 'object', 'embed' etc are flagged as "naughty" by CI and thus escaped.
如何绕过这个控制器方法的xss过滤
How can I bypass the xss filtering for this one controller method?
推荐答案
默认关闭它,然后为真正需要它的地方启用它。
Turn it off by default then enable it for places that really need it.
例如,我已经关闭所有的控制器,然后启用它的评论,页面等。
For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.
你可以做的事是在PyroCMS中创建一个MY_Input(或者在CI 2中的MY_Security),并且使用精确的副本覆盖xss_clean方法,减去对象| embed |正式表达式的一部分。
One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.
http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php
这是一个地狱
也许我们可以创建一个配置选项来列出2.0的坏元素?
Perhaps we could create a config option could be created listing the bad elements for 2.0?
这篇关于codeigniter global_xss_filtering的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!