5

I am working on a CMS with codeigniter. Users are supposed to know HTML and construct the page themselves. Now, I am having problems with storing some tags in the database (mysql database).

Users can upload images to the server and then use the path of the image in the code. The code is edited in a . When I try to update the code of a certain page to:

<img src="assets/fileserver/versje2.jpg"  alt="" />

everything works. But when I apply inline style to it

<img style="width: 200px;" src="assets/fileserver/versje2.jpg"  alt="" />

it won't work. It simply ignores the style and the following is stored in the database:

  <img src="assets/fileserver/versje2.jpg"  alt="" />

it simply removes the style. How is this possible?

I have tried:
-htmlspecialchars
-htmlentities

$config['global_xss_filtering'] = FALSE;
$config['global_xss_filtering'] = TRUE;

Any suggestions on what the problem could be?

Improve this question

3 Answers 3

Reset to default
3

Maybe you need to save it with htmlspecialchars($saveToDB) function,
edit in input such like that: <input name="someHtmlCode" value="<?=$saveToDB;?>" />
and than echo with htmlspecialchars_decode function in your html file on site:
$html = htmlspecialchars_decode($dataFromDB)

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thanks this works even if the $config['global_xss_filtering'] is set to TRUE
2

Seems like I found it already! First, I had

 $config['global_xss_filtering'] = TRUE;

Then, I set it to 

$config['global_xss_filtering'] = FALSE;

But I still had XSS|clean on the form validation! 

$this->form_validation->set_rules('inhoud', 'inhoud', 'xss|clean');

That is why it didn't work, now, the style is written to the database just fine!

Improve this answer

1 Comment

in my case I have set $config['global_xss_filtering'] = FALSE and I don't use form validation. I used ajax to send html tags and css inline style and received the data using $_POST[''] and eventually call the function to insert in MODEL. and still cannot save the inline css style.
0

This worked for me. (Codeigniter 3)

Keep this TRUE:

$config['global_xss_filtering'] = TRUE;

You can FALSE xss filter separatedly.

$this->input->post('input_filed_name', TRUE); // with XSS filter

$this->input->post('input_filed_name', FALSE); // without XSS filter

ex:

$this->input->post('description', FALSE); // without XSS filter
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.