codeigniter 2 and how to disabled xss for TinyMCE
There's no way to disable XSS filtering after Controller initialized.
Because if you enable $config['global_xss_filtering'] = TRUE;
at config.php
file, CodeIgniter Performs XSS filtering on $_POST
, $_GET
, $_COOKIE
before initializing Controllers
, Models
and ...
So when you get access to Controller
everything is done before.
While a solution is to disable $config['global_xss_filtering']
and run XSS filtering on specific variables as you need, There's a way to keep the original values (pre-filtered) somewhere for using them later:
1) Set the $config['enable_hooks']
to TRUE
at application/config.php
.
2) Insert the following into the application/config/hooks.php
:
$hook['pre_controller'] = array( 'class' => '', 'function' => 'keep_vars', 'filename' => 'keep_vars.php', 'filepath' => 'hooks', 'params' => array($_POST, $_GET));
Note: We are using this Hook
to execute keep_vars()
function before Controller initialized ( you might also want to consider using 'pre_system'
key).
3) Create keep_vars.php
inside application/hooks/
directory with the content below:
<?phpfunction keep_vars ($vars = array()){ if (empty($vars)) return; global $pre_filter; $pre_filter = array(); foreach ($vars as $var) { $pre_filter = array_merge($pre_filter, $var); }}
4) Finally, when you want to get access to a variable in $_GET
or $_POST
in your controller, define the global $pre_filter
variable inside the method:
class Foo extends CI_Controller { public function __construct() { parent::__construct(); } public function bar () { // define as global global $pre_filter; // check the pre XSS filtered values print_r($pre_filter); // you can get access to pre filtered $_POST['key'] by: echo $pre_filter['key']; }}
After reading the security documentation 3 more times, it occurs to me the security setting are applied when a new controller is invoked so using
$this->config->set_item('global_xss_filtering', FALSE);
in a controller won't work. You can however use one of CI's hooks to accomplish this.
the pre_controller hook looks like it should do the trick for you.
theres a pretty nice tutorial about halfway down the page here that shows you how to override config items. Its under the 'Serving Separate Response Formats' section.
So in your config/hooks.php file add this:
$hook['pre_controller'] = array( 'class' => 'the_name_of_your_controller', 'function' => 'config', //or the name of the function that will fire on preload 'filename' => 'the_file_name_of_your_controller.php', 'filepath' => 'hooks' );
THen in your controller add this function:
public function config() { $CI =& get_instance(); $CI->config->set_item( 'global_xss_filtering', FALSE );}