XSS filtering on CodeIgniter form

First of all set $config['global_xss_filtering'] = FALSE; You don't need or want this on all the time. This config setting is officially deprecated. It will likely disapear in the future.

Second, if you are using version 3.0.x then remove ‘xss_clean’ from your validation rules. It is not on the officially supported list of form validation rules.

The place where you can employ XSS filtering is when using the Input Class to fetch data from POST, GET, COOKIE or SERVER. Most of the input methods have a second param that enables running the data through xss_clean(). Example: $this->input->post('some_data', TRUE); Will get the value of $_POST['some_data']and run it through xss_clean(). If the second param is FALSE (or omitted) xss_clean() will not be used.

I don't agree with DFriend's answer.

Per CodeIgniter documentation:

XSS escaping should be performed on output, not input!

So the solution he proposed would actually do the same of the deprecated global configuration $config['global_xss_filtering'] = TRUE;, with the difference of adding much more code and manual work to add an extra bollean parameter for each $this->input->post.

The proper way is to use the set_value on your views:

<input type="password" name="mdp" value="<?=set_value('mdp')?>" />

This function filters XSS vulnerabilities by default:

set_value($field[, $default = ''[, $html_escape = TRUE]])