Codeigniter global_xss_filtering

Turn it off by default then enable it for places that really need it.

For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.

One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.

http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php

It's one hell of a long way around, but it works.

Perhaps we could create a config option could be created listing the bad elements for 2.0?

My case was that I wanted global_xss_filtering to be on by default but sometimes I needed the $_POST (pst you can do this to any global php array e.g. $_GET...) data to be raw as send from the browser, so my solution was to:

1. open index.php in root folder of the project
2. added the following line of code $unsanitized_post = $_POST; after $application_folder = 'application'; (line #92)

3. then whenever I needed the raw $_POST I would do the following:

   global $unsanitized_post;

   print_r($unsanitized_post);

In CodeIgniter 2.0 the best thing to do is to override the xss_clean on the core CI library, using MY_Security.php put this on application/core folder then using /application/config.php

$config['xss_exclude_uris'] = array('controller/method');

here's the MY_Security.php https://gist.github.com/slick2/39f54a5310e29c5a8387:

<?php/** * CodeIgniter version 2 * Note: Put this on your application/core folder */class MY_Security extends CI_Security {    /**     * Method: __construct();     * magic     */    function __construct()    {        parent::__construct();    }    function xss_clean($str, $is_image = FALSE)    {        $bypass = FALSE;        /**          * By pass controllers set in /application/config/config.php         * config.php         * $config['xss_exclude_uris'] = array('controller/method')         */        $config = new CI_Config;        $uri = new CI_URI;        $uri->_fetch_uri_string();        $uri->_explode_segments();        $controllers_list = $config->item('xss_exclude_uris');        // we need controller class and method only        if (!empty($controllers_list))        {            $segments = array(0 => NULL, 1 => NULL);            $segments = $uri->segment_array();            if (!empty($segments))            {                if (!empty($segments[1]))                {                    $action = $segments[0] . '/' . $segments[1];                }                else                {                    $action = $segments[0];                }                if (in_array($action, $controllers_list))                {                    $bypass = TRUE;                }            }            // we unset the variable            unset($config);            unset($uri);        }        if ($bypass)        {            return $str;        }        else        {            return parent::xss_clean($str, $is_image);        }    }}