Is this makes a security risk ?

[eluser]kenjis[/eluser]
[quote author="Mustafa Kahraman" date="1286353859"]Hi All,

I am using CI 1.7.2 in linux box.
This is my urls example.com/products/White-Small-Cream-Box

I am using

Code:

$str = $this->uri->segment(2);

and I querying the sql like this

Code:

$sql = $this->db->where('product_name', $str)->get('products', 1);

I this sense do I have any security hole for xss or something else ?
And if I set the config as

Code:

$config['global_xss_filtering'] = FALSE;

Do I have to set it TRUE ?[/quote]

Probably there is no XSS risk if you use the default permitted_uri_chars setting.
(Of couse, I couldn't guarantee no risk.)

Code:

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

Because the default setting only permits above charactors in URI segment.
And to write javascript XSS code using only above charactors is difficult.