CodeIgniter input filtering
Is there any way around this that does not involve turning global_xss_filtering off?
Nope, sorry. You have to turn it off because it alters the raw post data early in CI's execution.
I could rant for 5 pages about the proper use of the xss filter, but I'll try and keep it concise:
- Filter output, not input
- Always keep the context in mind and escape appropriately (is this HTML? SQL? javascript? text file?)
- The global filter is a security blanket. You can remove it once you know what you're doing.
Here's just one of many tragic examples of why the global XSS filter is a bad idea:
- A user signs up for an account, and sets his password to
document.write123
- You process the password, and end up hashing the string
[removed]123
Now, the user can log in with any of the following passwords, because those will also get turned into
[removed]123
by the filter before you hash them to validate:<script>123
document.write123
document.cookie123
- etcetera...
That shouldn't happen. A user shouldn't be able to log in with multiple passwords (unless it's by design... I suppose).
Also, good luck saving any of your blog posts that use <iframe>
s... YouTube videos for example.