Overriding global XSS filtering

[eluser]besson3c[/eluser]
Hello,

I just realized that the global XSS filtering setting can mess up password inputs if the password includes certain characters. Is there a way to override this setting for particular form elements? If not, would it be possible to toggle this setting off temporarily while assigning this form input to a variable?

I could play around with this for myself, but I'm not sure what sorts of input will result in modification post-sanitization/filtering. Can anyone please provide me with an example?

[eluser]Twisted1919[/eluser]
Basically, what you need to do, is that at the beginning of the request, right before the global cleaning is taking place, make a copy of the $_POST array and use that copy when you want to get the original, uncleaned variables.
Extending the security class might be the perfect way of doing this, something like:

Code:

class MY_Security extends CI_Security{

  public $original_post_array;

  public function __construct()
  {
     if($this->original_post_array===null&&!empty($_POST))
        $this->original_post_array=$_POST;
     parent::__construct();
  }

}

Then in your code, you can check like:

Code:

if(isset($this->security->original_post_array['password']))
{
   // do something here with the original value.
}

Please note, if you use CKEDITOR, or any other editor, the xss_clean() method will strip many of the elements attributes, exp:

Code:

<div style="font-weight:bold">BOLD FONT ? </div>
//becomes:
<div>BOLD FONT ? </div>

So having a variable that holds the original $_POST array is a good idea in your case, maybe instead of cleaning the content of an editor with xss_clean() you might wanna do it with html purifier.

[eluser]bubbafoley[/eluser]
you can turn xss filtering on/off when retrieving data.

Code:

$config['global_xss_filtering'] = TRUE;

Code:

$username = $this->input->post('username'); // filtered
$password = $this->input->post('password', FALSE); // unfiltered

== OR ==

Code:

$config['global_xss_filtering'] = FALSE;

Code:

$username = $this->input->post('username', TRUE); // filtered
$password = $this->input->post('password'); // unfiltered

Read more: http://www.gregaker.net/2011/mar/30/what..._i_use_it/

[eluser]Matty[/eluser]
[quote author="Twisted1919" date="1307974817"]Basically, what you need to do, is that at the beginning of the request, right before the global cleaning is taking place, make a copy of the $_POST array and use that copy when you want to get the original, uncleaned variables.
Extending the security class might be the perfect way of doing this, something like:

Code:

class MY_Security extends CI_Security{

  public $original_post_array;

  public function __construct()
  {
     if($this->original_post_array===null&&!empty($_POST))
        $this->original_post_array=$_POST;
     parent::__construct();
  }

}

Then in your code, you can check like:

Code:

if(isset($this->security->original_post_array['password']))
{
   // do something here with the original value.
}

Please note, if you use CKEDITOR, or any other editor, the xss_clean() method will strip many of the elements attributes, exp:

Code:

<div >BOLD FONT ? </div>
//becomes:
<div>BOLD FONT ? </div>

So having a variable that holds the original $_POST array is a good idea in your case, maybe instead of cleaning the content of an editor with xss_clean() you might wanna do it with html purifier.[/quote]

Brilliant, this is just what I was looking for and it works perfectly.