Codeigniter global_xss_filtering

Question

In my codeigniter config I have $config[\'global_xss_filtering\'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content.

E

Answer 1

Turn it off by default then enable it for places that really need it.

For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.

One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.

http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php

It's one hell of a long way around, but it works.

Perhaps we could create a config option could be created listing the bad elements for 2.0?