Codeigniter global_xss_filtering
Turn it off by default then enable it for places that really need it.
For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.
One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.
http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php
It's one hell of a long way around, but it works.
Perhaps we could create a config option could be created listing the bad elements for 2.0?
My case was that I wanted global_xss_filtering to be on by default but sometimes I needed the $_POST (pst you can do this to any global php array e.g. $_GET...) data to be raw as send from the browser, so my solution was to:
- open index.php in root folder of the project
- added the following line of code $unsanitized_post = $_POST; after $application_folder = 'application'; (line #92)
then whenever I needed the raw $_POST I would do the following:
global $unsanitized_post;
print_r($unsanitized_post);
In CodeIgniter 2.0 the best thing to do is to override the xss_clean on the core CI library, using MY_Security.php put this on application/core folder then using /application/config.php
$config['xss_exclude_uris'] = array('controller/method');
here's the MY_Security.php https://gist.github.com/slick2/39f54a5310e29c5a8387:
<?php/** * CodeIgniter version 2 * Note: Put this on your application/core folder */class MY_Security extends CI_Security { /** * Method: __construct(); * magic */ function __construct() { parent::__construct(); } function xss_clean($str, $is_image = FALSE) { $bypass = FALSE; /** * By pass controllers set in /application/config/config.php * config.php * $config['xss_exclude_uris'] = array('controller/method') */ $config = new CI_Config; $uri = new CI_URI; $uri->_fetch_uri_string(); $uri->_explode_segments(); $controllers_list = $config->item('xss_exclude_uris'); // we need controller class and method only if (!empty($controllers_list)) { $segments = array(0 => NULL, 1 => NULL); $segments = $uri->segment_array(); if (!empty($segments)) { if (!empty($segments[1])) { $action = $segments[0] . '/' . $segments[1]; } else { $action = $segments[0]; } if (in_array($action, $controllers_list)) { $bypass = TRUE; } } // we unset the variable unset($config); unset($uri); } if ($bypass) { return $str; } else { return parent::xss_clean($str, $is_image); } }}