Are URI/URLs escaped in CI when used like so? function foo($url_arg) $this->input->get(‘foo’);

Question

0

Asked: June 8, 20262026-06-08T16:57:02+00:00 2026-06-08T16:57:02+00:00

Are URI/URLs escaped in CI when used like so? function foo($url_arg) $this->input->get(‘foo’);

0

Are URI/URLs escaped in CI when used like so?

function foo($url_arg)
$this->input->get('foo');

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-08T16:57:06+00:00

Your example contains 2 different types of inputs – a URI segment (the argument passed to foo()) and a GET array item named foo.

The URI class contains a private method called _filter_uri that, as you may have guessed, takes care of filtering the URI. First, it will check the $config['permitted_uri_chars'] item located in config.php and remove any character not defined there. Regardless of what is defined there, however, it will also do the following:

// Convert programatic characters to entities
$bad = array('$', '(', ')', '%28', '%29');
$good = array('&#36;', '&#40;', '&#41;', '&#40;', '&#41;');
return str_replace($bad, $good, $str);

Check out the URI class source for more information.

Regarding the GET array item, if $config['allow_get_array'] (again, located in config.php) is set to FALSE, the GET array will be completely destroyed. $this->input->get('foo'), by default, permits “only alpha-numeric (and a few other) characters”. If a 2nd paramater of TRUE is included, CodeIgniter will run the value(s) through its XSS filter.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Are URI/URLs escaped in CI when used like so? function foo($url_arg) $this->input->get(‘foo’);

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply