[eluser]Unknown[/eluser]
Hi!
I was looking at code in Input.php file, CI_Input class, and I was wondering if some of the parts of the xss_clean method sould not be changed, for instance:
Code:
$str = str_replace(array('<?php', '<?PHP', '<?', '?'.'>'), array('<?php', '<?PHP', '<?', '?>'), $str);
and
Code:
$str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $str);
both can be changed into one small line of code:
Code:
$str = htmlspecialchars($str);
Or did You made it on purpose if, for example, some of the characters should be left as they are (and would be changed by htmlspecialchars()), and dealt with elsewhere? Or is Your approach simply faster/less memory consumeable?
PS. I am Polish so sorry for my language if it is wrong somewhere
