CodeIgniter 2.1.3 xss_clean() filter bypass
Description
CodeIgniter versions prior to 2.1.4 contain a filter bypass vulnerability in the xss_clean() function, which is designed to sanitize user input and prevent cross-site scripting (XSS) attacks. The function fails to properly strip malicious attributes from improperly closed HTML tags. While xss_clean() correctly removes dangerous attributes like 'onerror' from properly formed tags, it does not process tags missing their closing angle bracket (>). Modern web browsers automatically correct this malformed HTML during parsing, treating the unclosed tag as valid and executing any embedded malicious code. For example, the input <img src="a" onerror='alert(1)' (without the closing >) bypasses the filter but executes in the browser.
Remediation
Immediately upgrade to CodeIgniter version 2.1.4 or later, which resolves this filter bypass vulnerability. Follow these steps:
1. Update CodeIgniter: Download and install CodeIgniter 2.1.4 or the latest stable version from the official CodeIgniter website
2. Review Input Validation: Do not rely solely on xss_clean() for XSS protection. Implement defense-in-depth by using context-appropriate output encoding:
// Use htmlspecialchars() for HTML context echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8'); // For JavaScript context, use json_encode() echo '<script>var data = ' . json_encode($user_input) . ';</script>';
3. Enable Content Security Policy (CSP): Implement CSP headers to provide an additional layer of XSS protection
4. Test Thoroughly: After upgrading, test all user input handling and output rendering functionality to ensure proper sanitization
5. Security Audit: Review all code that previously relied on xss_clean() and implement proper context-aware output encoding