CodeIgniter's XSS Protection is removing <script> tags from user inputs... but I don't want it to!

Question

Hey folks,

CodeIgniter is brilliant but I'm using it to develop a site where users need to be able to share their code for websites. Unfortunately, CodeIgniter has been doing the "right" thing by removing <script> tags from my user's inputs into the database, so when it's returned data looks like this:

[removed] User's data [removed]

However, I need my site to DISPLAY script tags but obviously not PARSE them. How can I get CodeIgniter or PHP to return <script> tags, but still sanitise them for the database and return them without them executing?

Thanks!

Jack

EDIT: By the way, it's not an option to use stuff like Markdown, everything has to output to copy-pastable code that could work with no modification somewhere else

Answer 1

Im guessing you have XSS protection set to global in your config.php file change it to what i have below

/*
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = FALSE;

Answer 2

So, you want script tags displaying, but you don't want them rendered by the browser?

If that's the case, then I would use a simple htmlspecialchars() function to parse the code and convert all of the <script> tags to <script>.

I believe a somewhat equivalent function in CodeIgniter is form_prep(), from the Form helper, but how it behaves outside of form elements I don't know. So the htmlspecialchars() function should do just what you are asking.

I agree with Tom, above, in that you will need to disable global XSS filtering if you don't want your form elements having script tags stripped before they are saved.