CodeIgniter is brilliant but I’m using it to develop a site where users need to be able to share their code for websites. Unfortunately, CodeIgniter has been doing the “right” thing by removing <script> tags from my user’s inputs into the database, so when it’s returned data looks like this:
[removed] User’s data [removed]
However, I need my site to DISPLAY script tags but obviously not PARSE them. How can I get CodeIgniter or PHP to return <script> tags, but still sanitise them for the database and return them without them executing?
Thanks!
Jack
EDIT: By the way, it’s not an option to use stuff like Markdown, everything has to output to copy-pastable code that could work with no modification somewhere else
So, you want script tags displaying, but you don’t want them rendered by the browser?
If that’s the case, then I would use a simple
htmlspecialchars()function to parse the code and convert all of the<script>tags to<script>.I believe a somewhat equivalent function in CodeIgniter is
form_prep(), from the Form helper, but how it behaves outside of form elements I don’t know. So thehtmlspecialchars()function should do just what you are asking.I agree with Tom, above, in that you will need to disable global XSS filtering if you don’t want your form elements having
scripttags stripped before they are saved.