Codeigniter 3 - XSS Filtering

Which is the correct way to do XSS filtering in Codeigniter 3?

The current consensus in the development community seems to be that XSS filtering should be done at output instead of input. There are strong arguments and supporters for both input and output filter though.

It is a large and somewhat complex topic. Find more than you wanted to know at

https://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/cross-site-malicious-content.html

and

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Introduction

and

https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

After reading and comprehending all of that you may find that preventing XSS requires a lot of thought and work during both input and output.

Many people recommend not using Codeigniter's XSS functionality and opt for something like HTML Purifier instead.

If no XSS applied through $this->input->post('variable'), which are other advantages of using this and not $_POST?

The primary advantage of using $this->input->post('variable') is that it will check that the index ('variable") exists in $_POST. To use $_POST directly you really should make sure the array has that index.

if(isset($_POST['variable']){  // do stuff with $_POST['variable']  ...}

Without the isset test you run the risk of fatal runtime errors. So using $this->input->post('variable') removes the tedium of continually building that if block

On project http://conferience.com that I worked before 2 years we use(d) to html purifier prevent xss atacks. Also when a plaintext input needed then we just striped any html string using php's native strip_tags method.

Therefore we set the following setting:

$global_xss_filtering = FALSE

And used manual handling on $_POST['something']/$this->input->post('something') inputs.