The CodeIgniter security class function, xss_clean(), attempts to clean input from the POST or COOKIE data to mitigate against techniques that can allow for the injection of code into a website. For example, it would seek to prevent JavaScript code from being executed if it is included in a blog post submitted by a user, or look at the data submitted in a text input field and escape disallowed characters.
You can apply this to any controller you're creating, or if you've extended using MY_Controller, you can add it to that if you wish. You can also autoload the security helper by adding it to $autoload['helper'] = array() in the /path/to/codeigniter/application/config/autoload.php file. To be explicitly clear, here we're loading the security helper in the constructor of the controller (that is, any controller you have):
function __construct() {
parent::__construct();
$this->load->helper('security'),
}There are two ways to do this, globally (CodeIgniter does it every time it encounters the POST or COOKIE data), and individually (CodeIgniter lets you define when to call the clean COOKIE or POST data).
- CodeIgniter can call xss_clean() automatically each time it encounters the POST or COOKIE data without you needing to explicitly call xss_clean(). To do this, you'll need to amend the following file:
/path/to/codeigniter/application/config/config.php - Change the value of
$config['global_xss_filtering']toTRUE, as follows:$config['global_xss_filtering'] = TRUE;
However, be aware that there is a computational overhead in doing so and it may not always be necessary for you to run this all the time.
Ensure that $config['global_xss_filtering'] is set to FALSE, as follows:
$config['global_xss_filtering'] = FALSE
This will turn off global XSS filtering. When you wish to use xss_cean(), enter the following code into your controller or model:
$cleaned_data = $this->security->xss_clean($data_to_be_cleaned);