CodeIgniter adding semicolons

How do I stop CodeIgniter adding semicolons ; to data sent via POST that contains ampersand &开发者_如何学Go;?

For example it is converting "a=1&b=2&c=3" into "a=1&b;=2&c;=3". From looking on the forums it seems to be XSS filtering, which I don't want to disable site-wide only for 1 controller, so I tried the code below but it's still doing it:

$this->config->set_item('global_xss_filtering',false);

I'm not using XSS filtering, since it still have bug in it. For example, you will not be able to post a form that have youtube embed code in it when XSS filtering is on. I only use the filter per field that I want it to sanitized.

If your form is working with XSS filtering turned off, then turned it off. If you need to sanitize it against XSS attack, maybe consider another library, such as HTML purifier.

The problem is at the Security class

The following line is adding a semicolon if missing.

$str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str);

The solution is to extend CI, creating your own My_Security class. Stick it in the core folder with the _validate_entities function.

Comment the line above.

To turn off cross-site scripting filtering refer to the codeigniter this user guide page

Alternatively, if you want to leave fix the code by hacking core check out this solution