In my codeigniter config I have $config['global_xss_filtering'] = TRUE;. In my admin section I have a ckeditor which generates the frontend content.

Everything that is typed and placed inside the editor works fine, images are displayed nice, html is working. All except flash. Whenever I switch to html mode and paste 开发者_开发问答a youtube code piece it is escaped and the code is visible on the frontpage instead of showing a youtube movie.

If I set $config['global_xss_filtering'] = FALSE; the youtube code is passed like it should. This is because 'object', 'embed' etc are flagged as "naughty" by CI and thus escaped.

How can I bypass the xss filtering for this one controller method?

Turn it off by default then enable it for places that really need it.

For example, I have it turned off for all my controllers, then enable it for comments, pages, etc.

One thing you can do is create a MY_Input (or MY_Security in CI 2) like the one in PyroCMS and override the xss_clean method with an exact copy, minus the object|embed| part of the regex.

http://github.com/pyrocms/pyrocms/blob/master/system/pyrocms/libraries/MY_Security.php

It's one hell of a long way around, but it works.

Perhaps we could create a config option could be created listing the bad elements for 2.0?

My case was that I wanted global_xss_filtering to be on by default but sometimes I needed the $_POST (pst you can do this to any global php array e.g. $_GET...) data to be raw as send from the browser, so my solution was to:

1. open index.php in root folder of the project
2. added the following line of code $unsanitized_post = $_POST; after $application_folder = 'application'; (line #92)

3. then whenever I needed the raw $_POST I would do the following:

   global $unsanitized_post;

   print_r($unsanitized_post);

In CodeIgniter 2.0 the best thing to do is to override the xss_clean on the core CI library, using MY_Security.php put this on application/core folder then using /application/config.php

$config['xss_exclude_uris'] = array('controller/method');

here's the MY_Security.php https://gist.github.com/slick2/39f54a5310e29c5a8387:

<?php

/**
 * CodeIgniter version 2
 * Note: Put this on your application/core folder
 */

class MY_Security extends CI_Security {

    /**
     * Method: __construct();
     * magic
     */
    function __construct()
    {
        parent::__construct();
    }

    function xss_clean($str, $is_image = FALSE)
    {

        $bypass = FALSE;

        /** 
         * By pass controllers set in /application/config/config.php
         * config.php
         * $config['xss_exclude_uris'] = array('controller/method')
         */

        $config = new CI_Config;
        $uri = new CI_URI;
        $uri->_fetch_uri_string();
        $uri->_explode_segments();

        $controllers_list = $config->item('xss_exclude_uris');

        // we need controller class and method only
        if (!empty($controllers_list))
        {
            $segments = array(0 => NULL, 1 => NULL);
            $segments = $uri->segment_array();
            if (!empty($segments))
            {
                if (!empty($segments[1]))
                {
                    $action = $segments[0] . '/' . $segments[1];
                }
                else
                {
                    $action = $segments[0];
                }
                if (in_array($action, $controllers_list))
                {
                    $bypass = TRUE;
                }
            }

            // we unset the variable
            unset($config);
            unset($uri);
        }



        if ($bypass)
        {
            return $str;
        }
        else
        {
            return parent::xss_clean($str, $is_image);
        }
    }

}

Simple do the following on the views when displaying embedded object code like from YouTube and etc:

echo str_replace(array('&lt;', '&gt;'), array('<', '>'), $embed_filed);

The global XSS Filtering is only escaping (or converting) certain "dangerous" html tags like <html>

Simple Workaround:

1. Set $config['global_xss_filtering'] = TRUE;
2. Run your POST data through HTMLPurifier to remove any nasty <script> tags or javascript.
   • HTMLPurifier Docs
   • HTMLPurifier Codeigniter Integration

3. On the page where you receive the forms POST data use html_entity_decode() to undo what XSS filtering did.

   //by decoding first, we remove everything that XSS filter did
   //then we encode all characters equally.
   $content = html_entity_decode($this->input->post('template_content'))
   

4. Then immediately run it through htmlentities()

   $content = htmlentities($content);
   

5. Store as a Blob in MySQL database

6. When you want to display the information to the user for editing run html_entity_decode()

This is how I did it. If anyone knows of a major flaw in what I did, please tell me. It seems to be working fine for me. Haven't had any unexpected errors.