Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Global XSS filtering and disable individually
Global XSS filtering and disable individually
  • El Forum
    Guest
  •  
#1
07-30-2011, 12:09 AM

[eluser]asumaran[/eluser]
Why if I set
Code:
$config['global_xss_filtering'] = TRUE;
when
Code:
$company_name = $this->input->post('company_name', FALSE);

is giving me a xss filtered value?
  • El Forum
    Guest
  •  
#2
07-31-2011, 11:45 PM

[eluser]sangprabo[/eluser]
How is it going?
Code:
$company_name = $_POST['company_name'];
  • El Forum
    Guest
  •  
#3
08-01-2011, 02:03 AM

[eluser]P.T.[/eluser]
[quote author="asumaran" date="1312024173"]Why if I set
Code:
$config['global_xss_filtering'] = TRUE;
when
Code:
$company_name = $this->input->post('company_name', FALSE);

is giving me a xss filtered value?[/quote]

Because the filter happens long before you call $this->input->post. The XSS filtering is one of the first things CI does.
  • El Forum
    Guest
  •  
#4
02-28-2014, 12:58 PM

[eluser]Dandy_andy[/eluser]
I had a problem with global XSS filtering but have come up with a solution. Might not be the best way to do things, but it works. The way I get round disabling the global XSS filter for a POST request is to do the following:-

I use the following code where the XSS filter needs to be disabled (for example to allow scripts and code to be added to the database)

Code:
$input = html_entity_decode($input);


which essentially converts all the characters back again. This seems to work and has enabled me to allow scripts and code to be added to the database without turning off the global XSS filtering (as I have a lot of inputs elsewhere that need it).
  • El Forum
    Guest
  •  
#5
02-28-2014, 01:06 PM

[eluser]InsiteFX[/eluser]
You do not need to turn on the global xss_clean filer al you need to do is this:
Code:
$company_name = $this->input->post('company_name', TRUE);  // turn on xss_clean for input->post
  • El Forum
    Guest
  •  
#6
03-01-2014, 04:22 AM

[eluser]Dandy_andy[/eluser]
[quote author="InsiteFX" date="1393617994"]You do not need to turn on the global xss_clean filer al you need to do is this:
Code:
$company_name = $this->input->post('company_name', TRUE);  // turn on xss_clean for input->post
[/quote]

But what if you've already turned on global filter and don't want to go through your entire site finding the post attributes? That's why I did what I did!
  • El Forum
    Guest
  •  
#7
03-01-2014, 07:30 AM

[eluser]InsiteFX[/eluser]
Search - find and replace in project Gee.




Theme © iAndrew 2016 - Forum software by © MyBB