XSS_clean question - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: XSS_clean question (/showthread.php?tid=51642) |
XSS_clean question - El Forum - 05-11-2012 [eluser]Matalina[/eluser] I currently have xss_clean globally enabled. But I want to turn it off for one or two fields in my forms. I've looked through the Input Class but not sure which happens first. If I call Code: $this->input->post('name',FALSE); Will it not use xss_clean even tho it's globally enabled? XSS_clean question - El Forum - 05-11-2012 [eluser]mikedfunk[/eluser] From what I understand this is a flaw (IMHO) in the xss clean system. It's either all on or you have to do them one-by-one. XSS_clean question - El Forum - 05-11-2012 [eluser]CroNiX[/eluser] I usually have global off and just set xss_clean in the validation rules where they're needed. Then if you're accessing post() or set_value() or whatever it will be clean if it passes validation and you don't need to keep doing it. XSS_clean question - El Forum - 05-11-2012 [eluser]Matalina[/eluser] so basically it's all or nothing.... fun good thing this is an app that's just starting and not in the middle or end when a feature is added lol. XSS_clean question - El Forum - 05-11-2012 [eluser]weboap[/eluser] can you try http://stackoverflow.com/questions/3788476/codeigniter-disable-xss-filtering-on-a-post-basis XSS_clean question - El Forum - 05-14-2012 [eluser]Matalina[/eluser] Okay and why would that work over setting the value to FALSE? I thought that you overwrote anything that was placed into the variable if it was passed. I really don't see how rewriting that works. The input constructor is what cleans data when XSS_clean is set globally. So data is already cleaned by the time the post method is called which is why it can't be unset. So I don't think that method should work at all either. It's really no different than setting the value to false. |