[eluser]davdtm[/eluser]
Hi everybody, I've the following problem. I load a view by ajax (through jQuery.load()), I pass some data to such view, say 'foo', which becomes available inside the view as $_REQUEST['foo']. Within the view I need to print the value of $_REQUEST['foo'], but to prevent XSS problems I know it would be suggested to type print(htmlentities($_REQUEST['foo'])); (or htmlspecialchars(...), which is the same in this case) instead of plain print($_REQUEST['foo']);
Unfortunately, $_REQUEST['foo'] contains html inputs which should generate a form, so they cannot be passed to htmlentities(), because it would clearly translate the html tags. Doing this, I would have a list of html strings instead of the form inputs I need. For this reason I thought it would have been enough to exploit the xss_clean function provided by CI, however I cannot use get_instance() to access the controller because the view is loaded through ajax and get_instance() seems not available. Thus I cannot launch xss_clean either. I'm puzzled... what I can do to filter my output against XSS while getting the html data unchanged?
Thanks for any help, best regards
Davide