Codeigniter XSS Cross Site Scripting Hacking Attack Security - Mostlikers

16 March, 2017

Codeigniter XSS Cross Site Scripting Hacking Attack Security

Today we are going to see How to secure the Codeigniter  XSS Cross Site Scripting Hacking Attack. CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered. For preventing the form data GET and POST you need use security helper. While POST the form data in your controller, You just use xss_clean().




What is XSS Attack

Cross-Site Scripting (XSS) attacks are a type of injection, XSS attacks occur when some attacker user your web application or some form, That time they will send the malicious code. In case your providing some information to other websites, attackers taking the same URL with they are the website and they will send a malicious code.  

Example : 
Your name


Attacker will send
Your name


Codeigniter have an inbuilt security library for XSS Cross Scripting attack. Just call $this->security->xss_clean() function, the condition will check the process.


How to use XSS_clean()

Load the security libraries in you parent controller class.
$this->load->library("security");

In case you're using latest version CodeIgniter 3.0 file add a below script
$this->load->helper("security");

XSS Clean Syntax

//$data is form post data
$data = $this->security->xss_clean($data);
if($this->security->xss_clean($data))
{
  // Allow to access                    
}
else 
{
  echo 'Your site failued xss security validataion'; exit;
}

CodeIgniter controller code. For an example, I have created sample controller name called the welcome. There i have load security helper and xss_clean() function.
<?php
class Welcome extends CI_Controller {

    public function __construct()
    {
        parent::__construct();
        $this->load->helper('url');
        $this->load->helper('form');
        $this->load->helper("security");
        $this->load->library('form_validation');
        $this->load->model('users_model','users'); 
    }

    public function index()
    {
        $this->load->view('signup');
    }

    public function new_user()
    {
        if($_SERVER['REQUEST_METHOD'] === 'POST') :
        $this->form_validation->set_rules('user_name', 'Username', 'trim|required');
        $this->form_validation->set_rules('user_email','Email','required|is_unique[users.email]');
        $this->form_validation->set_message('is_unique', 'This email already register with us.');
        if ($this->form_validation->run() == FALSE):
            $this->load->view('signup');             
        else :
            $data = array(
                'name'=>$this->input->post('user_name'),
                'email'=>$this->input->post('user_email'),
            );
            $data = $this->security->xss_clean($data);
            if($this->security->xss_clean($data))
            {
                $this->db->insert('table_name',$data);
                echo 'Successfully register.';
                $_POST = array();
            }
            else 
            {
                echo 'Your site failued xss security validataion'; exit;
            }
        endif;
        else :
            show_404('not-a-POST!');
        endif;
    }

}


Singup.html form html design. load this in application/views/singup.html
<form method="post" action="<?=site_url('welcome/new_user')?>" role="form">
    <div class="form-group">
        <label for="inputUsernameEmail">Your Name</label>
        <input type="text" value="<?php echo set_value('user_name'); ?>" name="user_name" >
        <div class="errorMessage"><?php echo form_error('user_name'); ?></div>
    </div>
    <div class="form-group">
        <label for="inputUsernameEmail">Email</label>
        <input type="email" name="user_email" value="<?php echo set_value('user_email'); ?>">
        <div class="errorMessage"><?php echo form_error('user_email'); ?></div>
    </div>       
    <button type="submit" class="btn btn btn-primary">
        Sign up
    </button>
</form>

Conclusion

Xss_clean() function prevent the access of some third part unknown users. We hope this tutorial really help for you. If you have a suggestion, Write your comment with a comment box.

2 comments:

  1. Just use the 2nd parameter in the input post method like this
    $this->input->post('user_email', TRUE)

    2nd parameter should be true or your can enable it from configuration file so it will automatically check for xss attack.

    ReplyDelete
    Replies
    1. Thanks for feedback. We will update code

      Delete