Input library doesn't escape $_SERVER?

[eluser]cfraz[/eluser]
It looks like the Input library doesn't run its _clean_input_data function on $_SERVER like it does with $_POST and $_COOKIE (and $_GET).

I know that Input optionally filters xss content on $_SERVER, but it seems that some of the $_SERVER parameters have vulnerabilities that should be cleaned.

Yes? No?

[eluser]Matthieu Fauveau[/eluser]
Even if it's not documented, CI can filter $_SERVER throught xss_clean if you put the second parameter to TRUE. But I believe you know that if I read you correctly.

It might be a matter of performances that CI do the _clean_input_data only on $_GET, $_POST and $_COOKIE...

[eluser]cfraz[/eluser]
Yea, the user guide documents the xss clean for input->server('param', TRUE). My question was about the escaping input and normalizing all returns to \n that input input-> does for post and cookie and get (but not server) when the second parameter is not set.

Why is it needed for post and cookie and get, but not server?