问题
ive searched every site including stackoverflow on this issue.
I have XSS globally turned on and few pages I have use TinyMCE. On those pages I'd like the TinyMCE part to not have XSS enabled.
After reading about 40 pages, they all say to do the following:
$tiny_mce = $this->input->post('note'); // xss filtering off
or
$tiny_mce = $this->input->post('note', FALSE); // xss filtering off
I have tried both, here is my model:
public function edit($id) {
$tiny_mce = $this->input->post('note'); // xss filtering off
$userId = $this->ion_auth->get_user_id();
$data = array(
'note' => $tiny_mce
,'postedBy' => $userId);
$this->db->where('id', $id);
$this->db->update('company_notes', $data);
}
Anyone know why its not working? Any help would be great! I really dont want to globally turn XSS off, so im hoping for a " per basis" approach.
Edit I just tried
public function edit($id) {
$this->config->set_item('global_xss_filtering', FALSE);
$tiny_mce = $this->input->post('note'); // xss filtering off
$userId = $this->ion_auth->get_user_id();
$data = array(
'note' => $tiny_mce
,'postedBy' => $userId);
$this->db->where('id', $id);
$this->db->update('company_notes', $data);
}
but that too doesn't work.
回答1:
There's no way to disable XSS filtering after Controller initialized.
Because if you enable $config['global_xss_filtering'] = TRUE; at config.php file, CodeIgniter Performs XSS filtering on $_POST, $_GET, $_COOKIE before initializing Controllers, Models and ...
So when you get access to Controller everything is done before.
While a solution is to disable $config['global_xss_filtering'] and run XSS filtering on specific variables as you need, There's a way to keep the original values (pre-filtered) somewhere for using them later:
1) Set the $config['enable_hooks'] to TRUE at application/config.php.
2) Insert the following into the application/config/hooks.php:
$hook['pre_controller'] = array(
'class' => '',
'function' => 'keep_vars',
'filename' => 'keep_vars.php',
'filepath' => 'hooks',
'params' => array($_POST, $_GET)
);
Note: We are using this Hook to execute keep_vars() function before Controller initialized ( you might also want to consider using 'pre_system' key).
3) Create keep_vars.php inside application/hooks/ directory with the content below:
<?php
function keep_vars ($vars = array())
{
if (empty($vars)) return;
global $pre_filter;
$pre_filter = array();
foreach ($vars as $var) {
$pre_filter = array_merge($pre_filter, $var);
}
}
4) Finally, when you want to get access to a variable in $_GET or $_POST in your controller, define the global $pre_filter variable inside the method:
class Foo extends CI_Controller {
public function __construct()
{
parent::__construct();
}
public function bar ()
{
// define as global
global $pre_filter;
// check the pre XSS filtered values
print_r($pre_filter);
// you can get access to pre filtered $_POST['key'] by:
echo $pre_filter['key'];
}
}
回答2:
After reading the security documentation 3 more times, it occurs to me the security setting are applied when a new controller is invoked so using
$this->config->set_item('global_xss_filtering', FALSE);
in a controller won't work. You can however use one of CI's hooks to accomplish this.
the pre_controller hook looks like it should do the trick for you.
theres a pretty nice tutorial about halfway down the page here that shows you how to override config items. Its under the 'Serving Separate Response Formats' section.
So in your config/hooks.php file add this:
$hook['pre_controller'] = array(
'class' => 'the_name_of_your_controller',
'function' => 'config', //or the name of the function that will fire on preload
'filename' => 'the_file_name_of_your_controller.php',
'filepath' => 'hooks'
);
THen in your controller add this function:
public function config() {
$CI =& get_instance();
$CI->config->set_item( 'global_xss_filtering', FALSE );
}
来源:https://stackoverflow.com/questions/17686074/codeigniter-2-and-how-to-disabled-xss-for-tinymce