semicolon appended while setting global_xss_filtering="true"

[eluser]Unknown[/eluser]
Hi All,

I set the global_xss_filtering="true" in config.php

While submitting the form,am getting semicolon appended in the last(If I use "&" char).

For example,

I gave the input like this "GOD&I",then am getting the same value in controller like this "GOD&I;"

Please any one help me.

Note:
I dont want to set global_xss_filtering as "false".

[eluser]InsiteFX[/eluser]
Try escaping it with a back slash

Code:

"GOD\&I"

[eluser]monoclonal[/eluser]
I had the same problem and worked it out, but I think I wrote a temporary hack - using str_replace(';','',$input) etc or maybe it was a trim()
sorry, not very helpful....

[eluser]Jason McCallister[/eluser]
[quote author="InsiteFX" date="1354164241"]Try escaping it with a back slash

Code:

"GOD\&I"

[/quote]

I believe that would be the most correct action to take. Otherwise, why would the ability to escape characters exist?

[eluser]monoclonal[/eluser]
In the end I made the script filter out the extra semi-colons like so:

Code:

if ($this->input->is_ajax_request()) {
    $parts = explode("&", $this->input->post('ajax_serialised_string'));
    $inputs = array();
    foreach ($parts as $fields) {
        $data = explode("=", $fields);
        $inputs[str_replace(';', '', $data[0])] = trim(urldecode($data[1]));
    }
    // do something with the data etc
}

[eluser]Unknown[/eluser]
From my analysis the below code which causes the above problem.

..\system\core\Security.php (protected function _validate_entities($str))

Line 806:
$str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str);

Because of this line we are getting ';'.

Can any one suggest me how to overcome this problem?