I’ve been looking into codeigniter for past few days. It looks promising, but there are few issues. The global XSS protection is not secure at all, it sucks! I’ve been playing around with it, and I for sure can make so many “bad requests”
What do the codeigniter users do? just leave it off, and create their own XSS protection? is there any existing classes for codeigniter (or php) that help to prevent XSS attacks?
It also seems like the XSS protection is stripping too much some times, when it “works” and the code finds a match.
Any help would be great! Thanks!
From my experience, CI’s XSS is pretty good — I have run into situations where it does remove something which I have wanted which can be a pain to debug if you’re not expecting it. I’ve never been able to “easily” circumvent it nor have I read about any exploits (and the CI community is fairly large).
If you are very concerned, you can turn off CI’s XSS protection and use a “more” comprehensive filter such as HTML Purifier — you might also want to read OWASP’s XSS cheat sheet, because cleaning input is only a small part of XSS protection.