A: 

If you want to change the default behavior of the post() method, you can extend the core Input library, or if you're lazy you can just change line 278 (or so) of the Input library to read:

/**
* Fetch an item from the POST array
*
* @access   public
* @param    string
* @param    bool
* @return   string
*/
function post($index = '', $xss_clean = TRUE)
{
    return $this->_fetch_from_array($_POST, $index, $xss_clean);
}

The only difference here is that I've changed the $xss_clean variable to TRUE instead of FALSE. Now you can turn off global XSS filtering and it will automatically filter inputs unless you specify false as the second parameter in your call to the Input library's post() method. Just one method down is the get() method, and you can change that in the same way.

However, if I were you, I'd just extend the native library, because there's a good chance you'll have forgotten about this by the time you update CodeIgniter, and then you'll suddenly be wondering why you're getting XSS attacked. That would look like this:

class MY_Input extends CI_Input {

    function My_Input()
    {
        parent::CI_Input();
    }

    function post($index = '', $xss_clean = TRUE)
    {
        parent::post($index, $xss_clean);
    }
}

You can learn more about extending libraries here:

http://codeigniter.com/user_guide/general/creating_libraries.html

treeface  2010-09-24 16:30:10
Thanks for you help. I went down this route.
Von Schmytt  2010-09-30 08:40:47
A: 

you can temporarily turn it off

$this->config->set_item('global_xss_filtering', false);

$c = $this->input->post('content'); then turn it back on..

$this->config->set_item('global_xss_filtering', true);

Johnny Tops  2010-09-24 17:50:46
OP, I'd be interested to see if this works. Based on my understanding of CI's XSS filtering scheme, I think this would actually not have the desired effect. I believe CI does its XSS filtering of the entire $_POST variable when the controller is initiated, so changing the config after the fact would have little affect. Still..it's worth a try.
treeface  2010-09-24 17:56:58
Hi, this didn't seem to work with my CI installation. Thanks for responding though!
Von Schmytt  2010-09-30 08:40:25

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests