global xss filtering and video embeds

[eluser]treadsoftley[/eluser]
I have global xss filtering enabled and this is something I would like to maintain, however,
video embeds are then rendered useless as the ascii equivalents are displayed eg % 2 C (spaced here) appears as a comma.

Of course, 'html_entity_decode()' does do this but then loads of spurious question marks appear in the text where it cannot decode such things as an ampersand between two para tags and anyway I would like to be more specific as to what I want to allow and where.

Does anyone know of a regex function that can restore the embed when the page is displayed?

Tia.

[eluser]TheFuzzy0ne[/eluser]
I'm not sure if it's quite as simple as that. As far as I can see, you're two best options are to either disable global XSS filtering, and call it explicitly whenever you set a rule, or you could add some simple logic to your config.php file, which will disable it when a certain controller method is called.

[eluser]Iván Argulo[/eluser]
I've done that with Youtube videos, and it's working fine.

[eluser]TheFuzzy0ne[/eluser]
OK, let me rephrase. Why XSS filter, and then reverse the process. Wouldn't it be easier to just prevent XSS filtering in the first place?

[eluser]Iván Argulo[/eluser]
It's quite easy to forget including the XSS filter in just one input. To avoid the risk, you can turn on the global filtering, and then (if you need it, and only in that case) you can revert it.

So your application is protected...

[eluser]treadsoftley[/eluser]
Thanks Guys

I was trying not to switch off the global xss filtering as I have been building a system on top of Backendpro which has this setting and I didn't want to have to go through it's coding and various additional mod's I've made to make sure I wasn't opening up a can of worms.

Also the work I have been doing is with an inner city school who have some budding script kiddies in there! Of course, that's the security frame of mind that should always prevail, I guess!

Ivan, we reached the same decision (I dropped the regex idea) and have switched the global xss off and on in this one place for this one field and that seems to be working fine though I may try to refine things in the future.

[eluser]TheFuzzy0ne[/eluser]
I think you might have misunderstood what I was suggesting. Essentially, you can edit your config PHP in a similar fashion to what I've outlined in [url="http://ellislab.com/forums/viewreply/607678/"]this thread[/url]. That should allow you to disable XSS for any specific controller method. Obviously, you'd need to enable it again within your rules for any fields that do need to be XSS filtered, but you won't have to change any of your existing code.

Hopefully that clears things up for you?

[eluser]treadsoftley[/eluser]
Thanks Fuzzy. I thought I had cracked it with use of

Code:

$this->config->set_item('global_xss_filtering', FALSE)

but then I realised I had forgotten to turn on the global filtering again after testing....doh! And 'set_item' didn't do it. And your other post certainly looked to be the solution except that I then had the idea of placing the html_entity_decode() on the field output and this rebuilt the embed perfectly and maintains security to greater degree.

Thanks.