Home/ Questions/Q 8724675
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T07:52:47+00:00

Taking a look at the following code: $this->input->post(‘title’, FALSE); I have manually disabled XSS

  • 0

Taking a look at the following code:

$this->input->post('title', FALSE);

I have manually disabled XSS filtering.

Now lets see some examples:

<p BAD_ATTR_KEY="BAD_ATTR_VAL">Salam</span>

RETURNS:

<p BAD_ATTR_KEY="BAD_ATTR_VAL">Salam</span>

<p style="color: red;">Salam</span>

RETURNS:

<p  red;">Salam</span>

Any ideas how to disable this behavior so that the site admins will be able to easily assign different inline styles to any element on the page?

UPDATE:

I have enabled global XSS filtering in application/config/config.php because I need it all the time.

I don’t need XSS filtering only when trusted admins are posting their content from back end. For that purpose I have manually disabled XSS filtering as mentioned in my code above. And I think that the manual config should override default config estated at config.php, so there should be no problem with that.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have found what my problem was according to Asad‘s comment.

    Even now that I had manually disabled XSS filtering using:

    $body = $this->input('body', FALSE);

    , that was still being removed because I had enabled XSS filtering in application/config/config.php.

    I don’t really know why it couldn’t be overrided using the second parameter anyway.

    • 0