xss_clean and GET

[eluser]charlieD[/eluser]
Does anyone know what does the xss_clean (whether invoked automatically or directly) actually do? I.e. what kinds of tests does it run?

Also, for the site I'm developing at the moment I've had to enable GET params. Does CodeIgniter automatically run xss_clean on these or should I make that implicit? I know it does some checking for invalid characters on the query string, but is this the full xss_clean check?

[eluser]nmweb[/eluser]
It's kind of lengthy but here you go. It removes all sorts of stuff that could indicate an XSS attack. It's not run automatically by default although it could be configured to do so somewhere in the config files.

Code:

* Remove Null Characters
         *
         * This prevents sandwiching null characters
         * between ascii characters, like Javascript.


         * Validate standard character entities
         *
         * Add a semicolon if missing.  We do this to enable
         * the conversion of entities to ASCII later.

         * Validate UTF16 two byte encoding (x00)
         *
         * Just as above, adds a semicolon if missing.

         * URL Decode
         *
         * Just in case stuff like this is submitted:
         *
         * <a href="http://www.google.com">Google</a>
         *
         * Note: Normally urldecode() would be easier but it removes plus signs

         * Convert character entities to ASCII
         *
         * This permits our tests below to work reliably.
         * We only convert entities that are within tags since
         * these are the ones that will pose security problems.

         * Convert all tabs to spaces
         *
         * This prevents strings like this: javascript
         * NOTE: we deal with spaces between characters later.
         * NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
         * so we use str_replace.
         *

This is for starters, it goes on and on, see the input.php in the libraries folder to see what else you can't do.