CodeIgniter Forums
XSS_clean question - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: XSS_clean question (/showthread.php?tid=51642)

XSS_clean question - El Forum - 05-11-2012

[eluser]Matalina[/eluser]
I currently have xss_clean globally enabled. But I want to turn it off for one or two fields in my forms. I've looked through the Input Class but not sure which happens first.

If I call
Code:
$this->input->post('name',FALSE);

Will it not use xss_clean even tho it's globally enabled?

XSS_clean question - El Forum - 05-11-2012

[eluser]mikedfunk[/eluser]
From what I understand this is a flaw (IMHO) in the xss clean system. It's either all on or you have to do them one-by-one.

XSS_clean question - El Forum - 05-11-2012

[eluser]CroNiX[/eluser]
I usually have global off and just set xss_clean in the validation rules where they're needed. Then if you're accessing post() or set_value() or whatever it will be clean if it passes validation and you don't need to keep doing it.

XSS_clean question - El Forum - 05-11-2012

[eluser]Matalina[/eluser]
so basically it's all or nothing.... fun good thing this is an app that's just starting and not in the middle or end when a feature is added lol.

XSS_clean question - El Forum - 05-11-2012

[eluser]weboap[/eluser]
can you try
http://stackoverflow.com/questions/3788476/codeigniter-disable-xss-filtering-on-a-post-basis

XSS_clean question - El Forum - 05-14-2012

[eluser]Matalina[/eluser]
Okay and why would that work over setting the value to FALSE?

I thought that you overwrote anything that was placed into the variable if it was passed.

I really don't see how rewriting that works. The input constructor is what cleans data when XSS_clean is set globally. So data is already cleaned by the time the post method is called which is why it can't be unset. So I don't think that method should work at all either. It's really no different than setting the value to false.