Search code examples
phpcodeigniterxss

I get an XSS error in my CodeIgniter 3 script

I am working on a CodeIgniter application, On localhost, everything works fine and there is no problem or errors. But , when I uploaded the script to a live server, I received this XSS alert when loading the dashboard of my application. enter image description here I don't know how to resolve the problem. This is my config.php file :

> $config['base_url'] = 'https://demos.xxxxxxxx.com';
> 
> $config['index_page'] = '';
> 
> 
> $config['uri_protocol']   = 'REQUEST_URI';
> 
> 
> $config['url_suffix'] = '';
> 
> 
> $config['language']   = 'english';
> 
> 
> $config['charset'] = 'UTF-8';
> 
> 
> $config['enable_hooks'] = FALSE;
> 
> 
> $config['subclass_prefix'] = 'MY_';
> 
> 
> $config['composer_autoload'] = FALSE;
> 
> 
> $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
> 
> 
> $config['enable_query_strings'] = FALSE;
> 
> $config['controller_trigger'] = 'c';
> 
> $config['function_trigger'] = 'm';
> 
> $config['directory_trigger'] = 'd';
> 
> 
> $config['allow_get_array'] = TRUE;
> 
> 
> $config['log_threshold'] = 0;
> 
> 
> $config['log_path'] = '';
> 
> 
> $config['log_file_extension'] = '';
> 
> 
> $config['log_file_permissions'] = 0644;
> 
> 
> $config['log_date_format'] = 'Y-m-d H:i:s';
> 
> 
> $config['error_views_path'] = '';
> 
> 
> $config['cache_path'] = '';
> 
> 
> $config['cache_query_string'] = FALSE;
> 
> 
> $config['encryption_key'] = '';
> 
> 
> $config['sess_driver'] = 'files';
> 
> $config['sess_cookie_name'] = 'ci_session';
> 
> $config['sess_expiration'] = 7200;
> 
> $config['sess_save_path'] = NULL;
> 
> //$config['sess_save_path'] = sys_get_temp_dir();
> 
> $config['sess_match_ip'] = FALSE;
> 
> $config['sess_time_to_update'] = 300;
> 
> $config['sess_regenerate_destroy'] = FALSE;
> 
> 
> $config['cookie_prefix']  = '';
> 
> $config['cookie_domain']  = '';
> 
> $config['cookie_path']        = '/';
> 
> $config['cookie_secure']  = FALSE;
> 
> $config['cookie_httponly']    = FALSE;
> 
> 
> $config['standardize_newlines'] = FALSE;
> 
> 
> $config['global_xss_filtering'] = FALSE;
> 
> 
> $config['csrf_protection'] = TRUE;
> 
> $config['csrf_token_name'] = 'csrf_test_name';
> 
> $config['csrf_cookie_name'] = 'csrf_cookie_name';
> 
> $config['csrf_expire'] = 7200;
> 
> $config['csrf_regenerate'] = TRUE;
> 
> $config['csrf_exclude_uris'] = array();
> 
> 
> 
> $config['compress_output'] = FALSE;
> 
> 
> $config['time_reference'] = 'local';
> 
> 
> $config['rewrite_short_tags'] = FALSE;
> 
> 
> $config['proxy_ips'] = '';
Solution

  • Finally, I got the solution for the error. The problem was a data passed by POST method without being sanitized and by chance, some data entered contained coding tags.
    I reviewed all my code to sanitize the data passed by forms, and it is working fine now.
    I removed all codes like $_POST['postedvalue'] and modify it to $this->input->post('postedvalue');
    I check also the config.php file and set $config['global_xss_filtering'] to TRUE.
    Thank you @Arvin for your help