Skip to content
Home » Style attribute of html editor lost in Codeigniter

Style attribute of html editor lost in Codeigniter

Sometimes user copy pastes complete HTML content having CSS styles and HTML elements inside a HTML editor(CKEditor or TinyMCE etc) but CodeIgniter by default filters the styles from the posted data.

This style filtering is done in method “_remove_evil_attributes” of file “applicationcoreCP_Security.php”.

 

One easy way to fix this issue is to set global_xss_filtering = false; in config.php but then it will not handle cross-site scripting attacks throughout the application.

So the best way to fix this issue is to prevent filtering of style for only those places in the application where needed.

To prevent filtering of styles by CodeIgniter, extend the class of CodeIgniter core file “CP_Security.php” and override its method “_remove_evil_attributes” to use your setting as per requirement.

Code:

Below line in method “_remove_evil_attributes” of file CP_Security.php filters the style.

//All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
$evil_attributes = array('onw*', 'style', 'xmlns', 'formaction');

 

So the above line can be modified as below by overriding method “_remove_evil_attributes”.

// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns

//Provide actions from where you post the content with css and want to ignore the stlye filtering.
$allowed = array('/controller_name1/action1', '/controller_name2/action2', '/controller_name3/action3');

//It will check if the post data is from allowed action then it will not fitler style else style will be filtered.
if (in_array($_SERVER['REQUEST_URI'], $allowed)) {
    $evil_attributes = array('onw*', 'xmlns', 'formaction');
} else {
    $evil_attributes = array('onw*', 'style', 'xmlns', 'formaction');
}

 

If you do not know how to extend CodeIgniter class and override its method,  then follow “Extending Core Class” section in the below official link of CodeIgniter:

https://ellislab.com/codeigniter/user-guide/general/core_classes.html

4 thoughts on “Style attribute of html editor lost in Codeigniter”

  1. Hi Ola, if you are asking what to use for your domain then as you said that your controller is ‘pages’ and action is ‘update’ so you need to have ‘/pages/upload’ in the array. I think it should work.

Leave a Reply

Your email address will not be published.

0 Shares
Tweet
Pin
Share
Share
Share
%d bloggers like this: