Codeigniter global_xss_filtering

Question

In my codeigniter config I have $config['global_xss_filtering'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content.

Everything that is typed and placed inside the editor works fine, images are displayed nice, html is working. All except flash. Whenever I switch to html mode and paste a youtube code piece it is escaped and the code is visible on the frontpage instead of showing a youtube movie.

If I set $config['global_xss_filtering'] = FALSE; the youtube code is passed like it should. This is because 'object', 'embed' etc are flagged as "naughty" by CI and thus escaped.

How can I bypass the xss filtering for this one controller method?

Answer 1

Seems there is no easy way to do this. This thread offers some suggestions.

Answer 2

Turn it off by default then enable it for places that really need it.

For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.

One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.

http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php

It's one hell of a long way around, but it works.

Perhaps we could create a config option could be created listing the bad elements for 2.0?