Codeigniter xss_clean dilemma
Basically XSS is an OUTPUT problem - but Codeigniter deals with it as an INPUT problem.
Can someone elaborate how it's bad...
The problem is xss_clean alters your INPUT - meaning in some scenarios (like the password issue you have described) the input is not what is expected.
...or at least give 1 most probable scenario where it can be exploited?
It only looks for certain key words, such as "javascript". There are other script actions which xss_clean does not detect, plus it wont protect you against any "new" attacks.
The one thing I don't like is javascript: and such will be converted to [removed]. Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed]
You could do this - but your just putting a bandaid on a poor solution.
I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only.
This is the correct answer - escape ALL your output, and you have true XSS protection, without altering the input.
OWASP explains more on XSS here
See a good Codeigniter forum thread on XSS
Personally my approach to XSS protection in Codeigniter is I do not do ANY XSS cleaning on the inputs. I run a hook on the _output - which cleans all my “view_data” (which is the variable I use to send data to the views).
I can toggle if I dont want the XSS Clean to run by inserting a “$view_data[‘clean_output’] = false” in my controller, which the hook checks:
if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output'])) { // Apply to all in the list $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data); }
This gives me automatic and full XSS protection on my whole site -with just a couple of lines of code and no performance hit.