search

bcit-ci / CodeIgniter

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
18.27k stars 7.6k forks source link

XSS when data is passed on to the web application via an API #6270

Open Sidtheasskicker opened 9 months ago

Sidtheasskicker commented 9 months ago

So here's the scenario:

  1. I have a web application which runs totally on codeignitor and filters all the inputs properly without any issues when everything is inside the web application.
  2. I have an API configured and there is a feature to add a user through the API and all users are displayed onto the web application along with all their details.
  3. When I send a html tag or a proper xss payload through the name field while registering a User, those things aren't filtered out and the frontend is being displayed as it is without removing those and then the payload gets triggered as well.

Just wanted to know if this is an accepted risk by default and I have to fix myself or I should send Proof Of Concepts to help you out.

kenjis commented 9 months ago

It is just a big bug in your application. So you should fix it. See https://codeigniter.com/user_guide/concepts/security.html#a3-cross-site-scripting-xss

Sidtheasskicker commented 9 months ago

Thanks for the reply !

kenjis commented 9 months ago

The document is for CI4, but CI3 also has similar functionality. https://codeigniter.com/userguide3/general/common_functions.html#html_escape https://codeigniter.com/userguide3/libraries/form_validation.html

But CI3 does not have Content Security Policy feature.