[eluser]err403_love[/eluser]
Well, I did turn XSS Filtering on, but I didn't think it would have such odd side effects. I think a str_replace is highly unnecessary as the Database class should be auto-escaping HTML entities to well..
HTML Entities. I mean, when you're inputting an ampersand into an input box, when is it NOT going to be displayed as HTML?
Can I extend the Database class to do this automatically? I'd still prefer to call this a "bug" though.
X&Y;A&B;AA&BB;CCC&DDD;SOMETHING&SOMETHING;
Edit: I did not type a single semi-colon by myself (see: above ^^), and it also removed the spaces between them. I think this is a pretty big issue..
Why aren't the CodeIgniter devs themselves escaping ampersands then on this board?
----
Edit2: And regarding your example for str_replace, that wouldn't even work. What if the HTML entity (& amp ; - minus spaces) is already being typed in? Then you would get & amp ; amp ; (minus spaces) or something strange
Then I'd have to do a preg_replace for better precision, and that's much more intensive. Then the other option would be to use the PHP function to convert everything to HTML entities, and I still don't want to have to do that for all input before my UPDATE and INSERT queries.
