+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: XSS Protection is removing [removed] tags - but I don't want it to! :) (/showthread.php?tid=28245)
XSS Protection is removing [removed] tags - but I don't want it to! :) - El Forum - 03-05-2010
[eluser]JackWH[/eluser]
Hey folks,
CodeIgniter is brilliant but I'm using it to develop a site where users need to be able to share their code for websites. Unfortunately, CodeIgniter has been doing the "right" thing by removing [removed] tags from my user's inputs into the database, so when it's returned data looks like this:
[removed] User's data [removed]
However, I need my site to DISPLAY script tags but obviously not PARSE them. How can I get CodeIgniter or PHP to return Script tags, but still sanitise them for the database and return them without them executing?
Thanks!
Jack
EDIT: Oh look, how ironic, even CodeIgniter's forum removes [removed] tags too. Haha! [removed] [removed] [removed] - I mean, < script >
XSS Protection is removing [removed] tags - but I don't want it to! :) - El Forum - 03-06-2010
[eluser]WanWizard[/eluser]
If you want your users to input HTML, Javascript, code, and what have you, you shouldn't clean it, but escape the input with htmlentities, so any HTML in the input becomes harmless.