Overly aggressive xss cleaning?

Overly aggressive xss cleaning? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: Overly aggressive xss cleaning? (/showthread.php?tid=37522)

Overly aggressive xss cleaning? - El Forum - 01-12-2011

[eluser]Unknown[/eluser]
When as in my case $_POST['body'] contains an HTML image element with a valid src attribute, f.ex.

Code:
<img src="http://test.es/test4.png" alt="" >

(amongst others, but it seems only the img is stripped this way) system/libraries/Input.php constructor cleans the incoming data. As far as I can see something happens in Input->xss_clean(), which is called by Input->_clean_input_data() which in turn is called by the constructor. This leaves the img code cold and empty:

Code:
<img >

Now, it is sort of a limitation not being allowed to submit html code like that to a CI app..

EDIT: CodeIgniter 1.7.3
$config['global_xss_filtering'] = TRUE;
The img src points to an external site