The CodeIgniter security class function, xss_clean()
, attempts to clean input from the POST
or COOKIE
data to mitigate against techniques that can allow for the injection of code into a website. For example, it would seek to prevent JavaScript code from being executed if it is included in a blog post submitted by a user, or look at the data submitted in a text input field and escape disallowed characters.
You can apply this to any controller you're creating, or if you've extended using MY_Controller
, you can add it to that if you wish. You can also autoload the security helper by adding it to $autoload['helper'] = array()
in the /path/to/codeigniter/application/config/autoload.php
file. To be explicitly clear, here we're loading the security helper in the constructor of the controller (that is, any controller you have):
function __construct() {
parent::__construct();
$this->load->helper('security'),
}
There are two ways to do this, globally (CodeIgniter does it every time it encounters the POST
or COOKIE
data), and individually (CodeIgniter lets you define when to call the clean COOKIE
or POST
data).
/path/to/codeigniter/application/config/config.php
$config['global_xss_filtering']
to TRUE
, as follows:$config['global_xss_filtering'] = TRUE;
However, be aware that there is a computational overhead in doing so and it may not always be necessary for you to run this all the time.
Ensure that $config['global_xss_filtering']
is set to FALSE
, as follows:
$config['global_xss_filtering'] = FALSE
This will turn off global XSS filtering. When you wish to use xss_cean()
, enter the following code into your controller or model:
$cleaned_data = $this->security->xss_clean($data_to_be_cleaned);
3.144.84.155