Codeigniter - Disable XSS filtering on a post basis
If you want to change the default behavior of the post()
method, you can extend the core Input library, or if you're lazy you can just change line 278 (or so) of the Input library to read:
/*** Fetch an item from the POST array** @access public* @param string* @param bool* @return string*/function post($index = '', $xss_clean = TRUE){ return $this->_fetch_from_array($_POST, $index, $xss_clean);}
The only difference here is that I've changed the $xss_clean variable to TRUE
instead of FALSE
. Now you can turn off global XSS filtering and it will automatically filter inputs unless you specify false as the second parameter in your call to the Input library's post()
method. Just one method down is the get()
method, and you can change that in the same way.
However, if I were you, I'd just extend the native library, because there's a good chance you'll have forgotten about this by the time you update CodeIgniter, and then you'll suddenly be wondering why you're getting XSS attacked. That would look like this:
class MY_Input extends CI_Input { function My_Input() { parent::CI_Input(); } function post($index = '', $xss_clean = TRUE) { return parent::post($index, $xss_clean); }}
You can learn more about extending libraries here:
http://codeigniter.com/user_guide/general/creating_libraries.html
If you want to keep global xss_clean
enabled and override on only certain cases, you can extend the Input library to keep a clone of $_POST
for providing raw data when asked:
<?php if (!defined('BASEPATH')) exit('No direct access allowed.');class MY_Input extends CI_Input {public function __construct() { $this->_POST_RAW = $_POST; //clone raw post data parent::__construct(); }public function post($index = null, $xss_clean = TRUE) { if(!$xss_clean){ //if asked for raw post data -eg. post('key', false)-, return raw data. Use with caution. return $this->_POST_RAW[$index]; } return parent::post($index, $xss_clean); }}?>
This way you can use $this->input->post('mydata', FALSE)
to retrieve un-sanitized raw post data even if xss_clean
is enabled globally.
i defined
global $mypost;$mypost=$_POST;
in index.php of my root cms
then anywhere i can the global variable like
global $mypost;$var=isset($mypost["field"])? $mypost["field"]:"";
whenever i need post without filter.
worked for me hope it helps.