Jump to content


How to implement XSS Protection using Grocery Crud

xss security output

  • Please log in to reply
3 replies to this topic

#1 marlaaragao

marlaaragao

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 07 August 2015 - 12:19 AM

Hi!

 

I wonder how I'm able to prevent xss atacks on grocery crud by filtering the output. I can't use the Codeigniter feature, since it's deprecated and they say you should filter the output data, not the data that will be stored on db.

 

If I save some post that is for example: '<script>alert("that's not good")</script>', when I'm in the grid, if this column is shown, the script is executed. How can I prevent it?

 

Again, I can't change the data before saving on db. Thanks!

 

Z1JDoUP.png



#2 masterpipestyle

masterpipestyle

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 08 March 2016 - 04:19 PM

<p>...</p>

#3 masterpipestyle

masterpipestyle

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 08 March 2016 - 04:47 PM

Hi,

To prevent XSS in the crud did a function that filters the $post_array. Example:

function xss_clean($post_array, $primary_key = null){
	foreach ($post_array as $key => $value) {
		$post_array[$key] = $this->security->xss_clean($value);
	}

	return $post_array;
}

Use:

public function my_table(){
	$this->load->database();
	$crud = new grocery_CRUD();

	$crud->set_theme('flexigrid');
	$crud->set_table('my_table');
	$crud->set_subject('My Table');

	$crud->callback_before_update(array($this,'xss_clean'));
	$crud->callback_before_insert(array($this,'xss_clean'));

	$output = $crud->render();

	$this->_admin_output($output);
}

I hope it helps.

Bye!



#4 web-johnny

web-johnny

    grocery CRUD Author

  • Administrators
  • 1,137 posts
  • LocationLondon

Posted 19 March 2017 - 09:42 AM

I have good news. The latest version of grocery CRUD (version 1.5.8) now also includes an xss_clean configuration. For more also check the thread that we did open on github: https://github.com/s...mment-271142570


Posted Image





Also tagged with one or more of these keywords: xss, security, output

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users