I am working on a CodeIgniter application, On localhost, everything works fine and there is no problem or errors. But , when I uploaded the script to a live server, I received this XSS alert when loading the dashboard of my application. I don't know how to resolve the problem. This is my config.php file :
> $config['base_url'] = 'https://demos.xxxxxxxx.com';
>
> $config['index_page'] = '';
>
>
> $config['uri_protocol'] = 'REQUEST_URI';
>
>
> $config['url_suffix'] = '';
>
>
> $config['language'] = 'english';
>
>
> $config['charset'] = 'UTF-8';
>
>
> $config['enable_hooks'] = FALSE;
>
>
> $config['subclass_prefix'] = 'MY_';
>
>
> $config['composer_autoload'] = FALSE;
>
>
> $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
>
>
> $config['enable_query_strings'] = FALSE;
>
> $config['controller_trigger'] = 'c';
>
> $config['function_trigger'] = 'm';
>
> $config['directory_trigger'] = 'd';
>
>
> $config['allow_get_array'] = TRUE;
>
>
> $config['log_threshold'] = 0;
>
>
> $config['log_path'] = '';
>
>
> $config['log_file_extension'] = '';
>
>
> $config['log_file_permissions'] = 0644;
>
>
> $config['log_date_format'] = 'Y-m-d H:i:s';
>
>
> $config['error_views_path'] = '';
>
>
> $config['cache_path'] = '';
>
>
> $config['cache_query_string'] = FALSE;
>
>
> $config['encryption_key'] = '';
>
>
> $config['sess_driver'] = 'files';
>
> $config['sess_cookie_name'] = 'ci_session';
>
> $config['sess_expiration'] = 7200;
>
> $config['sess_save_path'] = NULL;
>
> //$config['sess_save_path'] = sys_get_temp_dir();
>
> $config['sess_match_ip'] = FALSE;
>
> $config['sess_time_to_update'] = 300;
>
> $config['sess_regenerate_destroy'] = FALSE;
>
>
> $config['cookie_prefix'] = '';
>
> $config['cookie_domain'] = '';
>
> $config['cookie_path'] = '/';
>
> $config['cookie_secure'] = FALSE;
>
> $config['cookie_httponly'] = FALSE;
>
>
> $config['standardize_newlines'] = FALSE;
>
>
> $config['global_xss_filtering'] = FALSE;
>
>
> $config['csrf_protection'] = TRUE;
>
> $config['csrf_token_name'] = 'csrf_test_name';
>
> $config['csrf_cookie_name'] = 'csrf_cookie_name';
>
> $config['csrf_expire'] = 7200;
>
> $config['csrf_regenerate'] = TRUE;
>
> $config['csrf_exclude_uris'] = array();
>
>
>
> $config['compress_output'] = FALSE;
>
>
> $config['time_reference'] = 'local';
>
>
> $config['rewrite_short_tags'] = FALSE;
>
>
> $config['proxy_ips'] = '';
Finally, I got the solution for the error.
The problem was a data passed by POST method without being sanitized and by chance, some data entered contained coding tags.
I reviewed all my code to sanitize the data passed by forms, and it is working fine now.
I removed all codes like $_POST['postedvalue']
and modify it to $this->input->post('postedvalue');
I check also the config.php file and set $config['global_xss_filtering']
to TRUE
.
Thank you @Arvin for your help