(11-28-2016, 04:07 PM)ciadmin Wrote: To be clear, I don't know when or why xss_clean was removed from the template parser or if it was ever there; I am not expert enough (from a security perspective) to address if it should be there or not, but I can see it *optionally* helpful.
One of my uses for the template parser is to inject XML/HTML from a database into a view, and forcing xss_clean would seem counter-intuitive to that.
CI4's View & Parser classes support optional escaping of view parameter values, which might serve the same intent as your question.
I don't see other responses to this thread, nor other community members bringing up the issue, so am not sure how much interest there would be in such an enhancement.
You asked about extending CI_Parser... that can always be done (core/MY_Parser). However, you are welcome to submit a PR to our github repo, with that proposed change to the parser That could be a better way to get the community to chime in!
Thank you Sir,
You enlightened my path.
So basically there is no harm in auto-cleaning there if we want it, I will do my best to do it in clean way and submit it to github.