CodeIgniter xss_clean filter Example
In this article, we have shared how to implement the XSS filter in CodeIgniter. XSS stands for cross-site scripting. CodeIgniter comes with XSS filtering security. There are some cross-site scripting hack prevention filters in CodeIgniter. It is used to disable JavaScript or other types of code that try to hijack cookies and perform other types of malicious activities. CodeIgniter has a built-in XSS filter that is initialized automatically.
Before started to implement the xss_clean filter in CodeIgniter, look files structure:
- codeigniter-xss-clean
- application
- config
- routes.php
- controllers
- Contactus.php
- views
- contactForm
- index.php
- templates
- header.php
- footer.php
- contactForm
- config
- system
- index.php
- assets
- images
- css
- style.css
- application
Syntax:
Load “security” class in controller.
1 2 3 4 |
<?php // load library $this->load->helper("security"); ?> |
Executing “xss_clean” function using security class.
1 |
<?php $data = $this->security->xss_clean($data); ?> |
Create a controller file like Contactus.php inside “application/controllers” folder.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
<?php /** * Description of Employee Controller * * @author TechArise Team * * @Email info@techarise.com */ defined('BASEPATH') or exit('No direct script access allowed'); class Contactus extends CI_Controller { public function __construct() { //Load helper and library. parent::__construct(); $this->load->helper('url'); $this->load->helper('form'); $this->load->helper("security"); } // index method public function index() { // contactus page. $this->load->view("contactForm/index"); } //submit action method public function submitAction() { // POST values $data['nonxssData'] = array( 'first_name' => $this->input->post('first_name'), 'last_name' => $this->input->post('last_name'), 'email' => $this->input->post('email'), 'message' => $this->input->post('message'), ); // Apply Cross Site Scripting of "security" library, which filtered data from passing through <script> tag. $data['xssData'] = $this->security->xss_clean($data['nonxssData']); // Send "without-xss" and with "xss-clean" data in view. $this->load->view("contactForm/index", $data); } } ?> |
Create a View File like index.php inside “application/views/contactForm folder.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
<?php $this->load->view('templates/header'); ?> <main role="main" class="container mcontainer"> <div class="wrapper"> <form method="POST" action="<?php echo base_url(); ?>contactus/submitaction" method="post" id="contact-us" name="contact_us" class="contact-us-form"> <h4 class="contact-us-form-heading">CodeIgniter xss_clean filter Example</h4> <div class="row"> <div class="col-lg-12 col-md-12 col-sm-12"> <p> <strong>Check xss_clean():</strong> <script> alert('check_xss_clean') </script> </p> </div> </div> <?php if (!empty($this->input->post('check_xss_clean'))) { ?> <div class="row"> <div class="col-lg-6 col-md-6 col-sm-6"> <h3>Result: with xss_clean CodeIgniter</h3> <label>First Name: </label> <?php echo $xssData['first_name']; ?> <label>Last Name: </label> <?php echo $xssData['last_name']; ?> <label>Email: </label> <?php echo $xssData['email']; ?> <label>Message: </label> <?php echo $xssData['message']; ?> </div> <div class="col-lg-6 col-md-6 col-sm-6"> <h3>Result: without xss_clean CodeIgniter</h3> <label>First Name: </label> <?php echo $nonxssData['first_name']; ?> <label>Last Name: </label> <?php echo $nonxssData['last_name']; ?> <label>Email: </label> <?php echo $nonxssData['email']; ?> <label>Message: </label> <?php echo $nonxssData['message']; ?> </div> </div> <?php } else { ?> <div class="row"> <div class="col-lg-12 col-md-12 col-sm-12"> Error Message: your xss is not clean. </div> </div> <?php } ?> <div class="form-group"> <label for="name">First Name</label> <input type="text" class="form-control" id="first-name" name="first_name" placeholder="First Name*" required /> </div> <div class="form-group"> <label for="name">Last Name</label> <input type="text" class="form-control" id="last-name" name="last_name" placeholder="Last Name*" required /> </div> <div class="form-group"> <label for="name">Email</label> <input type="email" class="form-control" id="email" name="email" placeholder="Email*" required /> </div> <div class="form-group"> <label for="name">Message</label> <input type="text" class="form-control" id="first-name" name="message" placeholder="Message*" required /> </div> <button type="submit" name="check_xss_clean" value="check_xss_clean" class="btn btn-primary">Submit</button> </form> </div> </main> <?php $this->load->view('templates/footer'); ?> |
1 |
Check: xss_clean(): <script> alert('check_xss_clean') </script> |
Note: For example, enter values in this form fields using tag, you will get a alert message, which is encountered by post method.