CodeIgniter input filtering CodeIgniter input filtering codeigniter codeigniter

CodeIgniter input filtering


php codeigniter xss

Is there any way around this that does not involve turning global_xss_filtering off?

Nope, sorry. You have to turn it off because it alters the raw post data early in CI's execution.

I could rant for 5 pages about the proper use of the xss filter, but I'll try and keep it concise:

  • Filter output, not input
  • Always keep the context in mind and escape appropriately (is this HTML? SQL? javascript? text file?)
  • The global filter is a security blanket. You can remove it once you know what you're doing.

Here's just one of many tragic examples of why the global XSS filter is a bad idea:

  • A user signs up for an account, and sets his password to document.write123
  • You process the password, and end up hashing the string [removed]123

  • Now, the user can log in with any of the following passwords, because those will also get turned into [removed]123 by the filter before you hash them to validate:

    • <script>123
    • document.write123
    • document.cookie123
    • etcetera...

That shouldn't happen. A user shouldn't be able to log in with multiple passwords (unless it's by design... I suppose).

Also, good luck saving any of your blog posts that use <iframe>s... YouTube videos for example.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last