Codeigniter global_xss_filtering

Question

In my codeigniter config I have $config['global_xss_filtering'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content.

Everything that is typed and placed inside the editor works fine, images are displayed nice, html is working. All except flash. Whenever I switch to html mode and paste a youtube code piece it is escaped and the code is visible on the frontpage instead of showing a youtube movie.

If I set $config['global_xss_filtering'] = FALSE; the youtube code is passed like it should. This is because 'object', 'embed' etc are flagged as "naughty" by CI and thus escaped.

How can I bypass the xss filtering for this one controller method?

Answer 1

Turn it off by default then enable it for places that really need it.

For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.

One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.

http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php

It's one hell of a long way around, but it works.

Perhaps we could create a config option could be created listing the bad elements for 2.0?

Answer 2

My case was that I wanted global_xss_filtering to be on by default but sometimes I needed the $_POST (pst you can do this to any global php array e.g. $_GET...) data to be raw as send from the browser, so my solution was to:

1. open index.php in root folder of the project
2. added the following line of code $unsanitized_post = $_POST; after $application_folder = 'application'; (line #92)

3. then whenever I needed the raw $_POST I would do the following:

   global $unsanitized_post;

   print_r($unsanitized_post);