Description
The CodeIgniter framework contains a function, xss_clean(), which is intended to filter out potential XSS attacks. The xss_clean() function would only strip attributes from HTML tags that were properly closed. However, browsers which see unclosed tags can choose to parse them as though they were properly formed. For example:
<img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))'
The lack of a > at the end meant that the onerror attribute wasn`t stripped by xss_clean(). However, browsers would parse this input as a valid img tag with src and onerror attributes.
Remediation
Upgrade to the latest version of CodeIgniter (this problem was fixed in version 2.1.4).
References
Related Vulnerabilities
WordPress Plugin Vertical News Scroller Cross-Site Scripting (1.9)
WordPress Plugin Two-Factor Authentication-Clockwork SMS Cross-Site Scripting (1.0.3)
WordPress Plugin Maps Widget for Google Maps-Google Maps Builder Cross-Site Scripting (2.30)
WordPress Plugin WP?????? Cross-Site Scripting (1.3.9)
WordPress Plugin MyLiveChat-Free Live Chat Plugin for WordPress Cross-Site Scripting (2.0.1)