CodeIgniter Forums

Full Version: XSS Global clean
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]Mat-Moo[/eluser]
I have this enabled as a matter of security (But still do some checking as well), but I have a new special controller I am writing that picks up an rss feed as a post which I need NOT to be sanitised. From what I've read on here I have to disable global CSS then add it to all my inputs (grrr) - or is there another way? [even print_r($_POST) is sanitised].

Any other input on this is welcome !

El Forum

[eluser]Dam1an[/eluser]
you could extend the input class, and override the sanitize globals function, so that it doesnn't include the $_POST array (line 141)
Assuming you use
Code:
$this->input->post('item');
instead of
$_POST['item'];
In the rest of the application, you should be fine

If you find yourself needint to sanitize the POST array, you could call the _clean_input_data function (which should really be private, but PHP4 lets you Wink)

El Forum

[eluser]Mat-Moo[/eluser]
Hmm, not convinced by that. Could I use a hook to disable the global xss when it's this one controller? Never really looked at hooks before.

El Forum

[eluser]Dam1an[/eluser]
If you did do it in a hook, you would have to use a pre_system hook, as thats your only chnce before the input class gets initialised
The problem is the router class has not yet been loaded at this point, so you'll have to load it yourself in the hook using
Code:
$RTR =& load_class('Router'); // Taken from CodeIgniter.php
if($RTR->class == 'the_controller') {
  ... do something
}

Although I'm not sure what 'do something' would be, as I'm not sure if it's a good idea to change config values on the fly like that (anyone?)

El Forum

[eluser]Dregond Rahl[/eluser]
could do one other thing, disable Global XSS Filter, and just modify (or even extend) the input library to have the default to $xss_clean = TRUE, then you can set specifically the inputs in that controller to be FALSE.

Code:
function post($index = '', $xss_clean = FALSE)
    {
        return $this->_fetch_from_array($_POST, $index, $xss_clean);
    }

El Forum

[eluser]xwero[/eluser]
A crude way would be to add a url check in the config.php file
Code:
$config['global_xss'] = ( ! in_array($_SERVER['REQUEST_URI'], array('/controller/method')) ? true : false;