Should I enable xss Clean for my site?

[eluser]Frank Rocco[/eluser]
Hello,

I am using ion Authority and CI form post for searching.

I noticed that xss clean is off in my config.

Is it a good idea to enable it?

Thanks

[eluser]InsiteFX[/eluser]
Check your input->post code and see if they are using xss clean

You do not need to use the global xss clean if you use it on all you input->post

The global xss clean will slow your website down!

InsiteFX

[eluser]Frank Rocco[/eluser]
Not sure I understand.

If I use

Code:

$search = trim($this->input->post('search'));
$action = $this->input->post("submit");

will this take care of it?

[eluser]Eric Barnes[/eluser]
No it has a second paramater -
$this->input->post('search', TRUE);

http://www.gregaker.net/2011/mar/30/what..._i_use_it/

[eluser]Frank Rocco[/eluser]
Thank you,

I will recode it.

[eluser]ELRafael[/eluser]
To read, change s.cript => script ;-)

Code:

//$_POST['content'] = '<s.cript type="text/javascript">alert('hi');</s.cript>'
$insert['content'] = $this->input->post('content', TRUE);
//$insert['content'] = '[removed]alert('hi')[removed]

$insert['content'] = $this->input->post('content');
//Now $insert['content'] has the right value

So, the answer is:
depends

[eluser]Madmartigan1[/eluser]
It's good practice to do it the way InsiteFX and EricBarnes said, because once the filter is enabled globally, there's nothing short of hacking the core you can do to disable it.

As soon as you have one input that you do not wish to run xss_clean on, you pretty much need to disable the global filter, and go through all of your code to set the filter on each input.

If you **know** that you'll **always** need it, enable it globally. If you have any doubts, run it explicitly.

You can also use xss_clean as a form validation prep rule rather than cleaning it when you read $this->input->post($key). It will be "clean" already.