Codeigniter xss_clean dilemma

Basically XSS is an OUTPUT problem - but Codeigniter deals with it as an INPUT problem.

Can someone elaborate how it's bad...

The problem is xss_clean alters your INPUT - meaning in some scenarios (like the password issue you have described) the input is not what is expected.

...or at least give 1 most probable scenario where it can be exploited?

It only looks for certain key words, such as "javascript". There are other script actions which xss_clean does not detect, plus it wont protect you against any "new" attacks.

The one thing I don't like is javascript: and such will be converted to [removed]. Can I extend the CI's security core $_never_allowed_str arrays so that the never allowed strings return empty rather than [removed]

You could do this - but your just putting a bandaid on a poor solution.

I've been reading about pros and cons about whether to escape on input/output with majority says that we should escape on output only.

This is the correct answer - escape ALL your output, and you have true XSS protection, without altering the input.

OWASP explains more on XSS here

See a good Codeigniter forum thread on XSS

Personally my approach to XSS protection in Codeigniter is I do not do ANY XSS cleaning on the inputs. I run a hook on the _output - which cleans all my “view_data” (which is the variable I use to send data to the views).

I can toggle if I dont want the XSS Clean to run by inserting a “$view_data[‘clean_output’] = false” in my controller, which the hook checks:

if (( ! isset($this->CI->view_data['clean_output'])) || ($this->CI->view_data['clean_output']))   {    // Apply to all in the list    $this->CI->view_data = array_map("htmlspecialchars", $this->CI->view_data);   }  

This gives me automatic and full XSS protection on my whole site -with just a couple of lines of code and no performance hit.