codeigniter 2 and how to disabled xss for TinyMCE

There's no way to disable XSS filtering after Controller initialized.

Because if you enable $config['global_xss_filtering'] = TRUE; at config.php file, CodeIgniter Performs XSS filtering on $_POST, $_GET, $_COOKIE before initializing Controllers, Models and ...

So when you get access to Controller everything is done before.

While a solution is to disable $config['global_xss_filtering'] and run XSS filtering on specific variables as you need, There's a way to keep the original values (pre-filtered) somewhere for using them later:

1) Set the $config['enable_hooks'] to TRUE at application/config.php.

2) Insert the following into the application/config/hooks.php:

$hook['pre_controller'] = array(    'class'    => '',    'function' => 'keep_vars',    'filename' => 'keep_vars.php',    'filepath' => 'hooks',    'params'   => array($_POST, $_GET));

Note: We are using this Hook to execute keep_vars() function before Controller initialized ( you might also want to consider using 'pre_system' key).

3) Create keep_vars.php inside application/hooks/ directory with the content below:

<?phpfunction keep_vars ($vars = array()){    if (empty($vars)) return;    global $pre_filter;    $pre_filter = array();    foreach ($vars as $var) {        $pre_filter = array_merge($pre_filter, $var);    }}

4) Finally, when you want to get access to a variable in $_GET or $_POST in your controller, define the global $pre_filter variable inside the method:

class Foo extends CI_Controller {    public function __construct()    {        parent::__construct();    }    public function bar ()    {        // define as global        global $pre_filter;        // check the pre XSS filtered values        print_r($pre_filter);        // you can get access to pre filtered $_POST['key'] by:        echo $pre_filter['key'];    }}

After reading the security documentation 3 more times, it occurs to me the security setting are applied when a new controller is invoked so using

$this->config->set_item('global_xss_filtering', FALSE);

in a controller won't work. You can however use one of CI's hooks to accomplish this.

the pre_controller hook looks like it should do the trick for you.

theres a pretty nice tutorial about halfway down the page here that shows you how to override config items. Its under the 'Serving Separate Response Formats' section.

So in your config/hooks.php file add this:

$hook['pre_controller'] = array(   'class'     => 'the_name_of_your_controller',   'function'  => 'config', //or the name of the function that will fire on preload   'filename'  => 'the_file_name_of_your_controller.php',   'filepath'  => 'hooks'                );

THen in your controller add this function:

public function config() {   $CI      =& get_instance();   $CI->config->set_item( 'global_xss_filtering', FALSE );}