Xss major vulnerabilities

[alindima]

Hello everyone.
Grocery crud is extremely vulnerable to xss attacks..The output that is being displayed in a regular table is not escaped at all,and as we all know, that is a massive problem. Please fix this ASAP. Thanks.

[airways]

This is extremely irresponsible disclosure. Way to go.

[alindima]

@airways ,sorry but i did not get your point

[airways]

@alindima https://en.wikipedia.org/wiki/Responsible_disclosure

[scoumbourdis]

Hello @alindima,

I am sorry to admit it but @airways is right. Can you please send me at my personal email a more specific issue of what the problem exactly is and suggestions to actually solve the issue?

Thanks Johnny

[heruprambadi]

any solution how to prevent that ?

[buoncri]

Using GC only in Admin area :-D

[scoumbourdis]

I did start a new branch to fix that issue. If you urgently need it then you can have a hot fix of just filter all the inputs from here: https://github.com/scoumbourdis/grocery-crud/commit/cb82d941e82b4cb90a06229d9194e58a8fde8dcb of course this branch it is not completed yet as it needs to have a config file and some other validation checks. I just published this change in case someone needs that urgently.

Thanks Johnny

[agung-wete]

As suggested by codeigniter user guide :

rule about XSS cleaning is that it should only be applied to output, as opposed to input data.

We’ve made that mistake ourselves with our automatic and global XSS cleaning feature (see previous step about XSS above), so now in an effort to discourage that practice, we’re also removing ‘xss_clean’ from the officially supported list of form validation rules.

Sometimes, we need that "special" character that filtered by execute xss_clean on input (for example: password field)

Because this is CRUD library, we cant determine which input need this, so we shouldnt do xss_clean globally.

To prevent XSS we need to do html_escape in output field (function change_list, get_add_input_fields, get_edit_input_fields, get_read_input_fields). This is also make sure ' " ' from data dont break input tag.

Suggestion :

• Because for now grocery crud depends on codeigniter, we need not reinventing the wheel :smiley: . use codeigniter html_escape or xss_clean function
• If we really need to do xss cleaning in input data, we should able to choose which field NOT filtered. maybe add some function : no_xss_clean_input($arrary_of_field_name) If it in $arrary_of_field_name then we dont do xss_clean on it

Thank you

[scoumbourdis]

@agung-wete thanks for that and to be honest I like that this is now a thread for brainstorming :)

I actually agree with what Codeigniter is saying to not have it globally. That's why the fix is half way through and it is not completed yet.

@agung-wete first of all although grocery CRUD is depended on Codeigniter the library is built with that way so one day will NOT be Codeigniter depended at the future. So currently the only libraries that grocery CRUD is using from CI are:

• form validation
• database
• url helper

Nothing more than that (not even the session or the layout is not in use)

Second xss_clean of Codeigniter is really really slow (especially for big texts). That's the main reason that I don't want to use it and I am trying to find another solution.

I will update you for any changes that I will make to the code. The code is not yet completed yet and new ideas are more than welcome :)

[scoumbourdis]

New upcoming version 1.5.7 with XSS clean. If you are interested you can download the master branch. Enjoy :)

[heruprambadi]

hurray ! 💃 💃

[scoumbourdis]

The version is now in public with plus an optimisation of the totals on big tables

[heruprambadi]

Where should i find documentation about it ?

[scoumbourdis]

There is not currently any documentation. It is as easy as setting the config file grocery_crud_xss_clean into true.

More specifically the file is at: application/config/grocery_crud.php

The main reason I did that is that in case you will need to skip the xss_clean validation only for 1 of your CRUD, you can simply do this:

 $this->load->config('grocery_crud');
 $this->config->set_item('grocery_crud_xss_clean', false);

before calling the grocery CRUD.

Also have in mind (I am actually copying the comments at the config) that:

// Turn XSS clean into true in case you are exposing your CRUD into public. 
// Please be aware that this is stripping all the HTML and do not just trim the extra javascript

[heruprambadi]

Oh, ok. I just need to know how to use it. Thanks 😆 Anyway, where (again) i should find details about change log ? Like how to use "faster way to calculate total" (gc 1.5.7).

[scoumbourdis]

I am trying to keep track at the github. So for example if you see a number like (#370: A faster way to calculate the totals) The #370 is a link that you can click and see all the discussions/commits/pull requests and history of the enhancement.

[scoumbourdis]

You can basically see the change logs (with the urls) here: http://www.grocerycrud.com/documentation/change_logs

[heruprambadi]

So there is change log on your site.. ok thanks again 😀