Home/ Questions/Q 7595949
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T21:48:01+00:00

$this->input->post(‘question’, TRUE) If even I add TRUE, it still allows people to add html

  • 0

$this->input->post('question', TRUE)

If even I add TRUE, it still allows people to add html code. Why is that?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The xss_clean() function does not remove all HTML, it removes/replaces specific things that are considered dangerous, like <script> tags.

    http://codeigniter.com/user_guide/libraries/security.html

    The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

    Someone injecting a <p> tag into your page, while maybe not desired, is not really an effective attack. You’ll have to specify what you want to do with it. In many cases, you will want HTML output that has been xss_clean()ed.

    It sounds like you want either htmlspecialchars() or strip_tags() (note: these two very different things). If you want to encode the HTML, you can also use CI’s html_escape():

    echo html_escape($this->input->post('question'));

    If you want HTML output and not entities, just use the XSS filter by itself:

    echo $this->input->post('question', TRUE);
echo xss_clean($user_input);
    • 0