Codeigniter over zealous with the character escaping?

[eluser]drewbee[/eluser]
What is up with codeigniter getting all crazy over the character escaping? Either I am missing something terribly drastic... or the CI folks are paranoid.

I currently have a setup where global_xss_filtering is off because I dont like CI messing with data input. garbage in garbage out I say.

As well, the prep_for_form gets a bit over zealous too.

I just loaded the XML file from http://ha.ckers.org/xss.html of all the xss injection types that they have compiled, and by simply using htmlspecialchars resulted in a clean, xss injection free page.

Also, I didn't like how when I filled out a form and happened to put the characters AND Less then or greater then, CI converted it to the actual character. Data should look coming out as it did going in.

What do they know that I don't?

Also, during each iteration of the xml document, I outputed the data in plain text as well as in a textbox.

The document also validated as XHTML Valid, heh.

[eluser]jpeffer[/eluser]
I think you are over simplifying "plain" text. Don't forget there are quite a few text encoding standards used out there. Not that long ago I spent around 2 weeks trying to explain why a text document written in WordPad did not look the same in NotePad and was causing UTF-8 errors within an XML HTTP-Request. These were paid consultants that simply could not grasp why characters displayed correctly in one application and not the other. Mix in encodings at the database level and you end up with too many people not understanding the basics.

The requirements of your system should really be determining the amount of escaping needed. Generally speaking it is at least a good idea to always escape data being inserted. Escaping simple queries would be more dependent on the amount of security required for the data being processed. That's at least how I always viewed this issue. Of course I might be missing something as well.