Codeigniter xss_clean issue

Question

In codeigniter the $this->input->post() (with xss_clean=true)

gives this output

[removed]alert&#40;'Hello'&#41;[removed]

for this input string

<script>alert('Hello')</script>

I want the output without containing [removed], i.e. alert('Hello')

Finally i ended up editing system/core/security.php file.

From

$str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str);

To

$str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '', $str);

It does the job.

I'm just asking if there is any alternative way to do this without changing system files ?

Additionally ,

Should i use codeigniter's xss_clean function ?

score 1 · Answer 1 · edited May 23 '17 at 12:14

1

Yes, try extend class from CI_Security and write new function:

protected function _do_never_allowed($str)

it will be more OOP way.

EDIT:

CodeIgniter allow you extend core classes. See this link:

edited May 23 '17 at 12:14

Community

answered Jan 21 '15 at 14:35

stepozer

score 1 · Answer 2 · answered Jan 21 '15 at 14:35

1

You should NEVER edit the core files.

Instead, you should just extend the Security class, from the application.

Create a file called "MY_Security.php" within ./application/core and extend the Security class.

answered Jan 21 '15 at 14:35

Craig

2 Answers2