ive searched every site including stackoverflow on this issue.

I have XSS globally turned on and few pages I have use TinyMCE. On those pages I'd like the TinyMCE part to not have XSS enabled.

After reading about 40 pages, they all say to do the following:

$tiny_mce = $this->input->post('note'); // xss filtering off

or

$tiny_mce = $this->input->post('note', FALSE); // xss filtering off

I have tried both, here is my model:

public function edit($id) {

          $tiny_mce = $this->input->post('note'); // xss filtering off
          $userId = $this->ion_auth->get_user_id();
          $data = array(
                        'note' => $tiny_mce
                        ,'postedBy' => $userId);
          $this->db->where('id', $id);
          $this->db->update('company_notes', $data);

}

Anyone know why its not working? Any help would be great! I really dont want to globally turn XSS off, so im hoping for a " per basis" approach.

Edit I just tried

public function edit($id) {
          $this->config->set_item('global_xss_filtering', FALSE);
          $tiny_mce = $this->input->post('note'); // xss filtering off
          $userId = $this->ion_auth->get_user_id();
          $data = array(
                        'note' => $tiny_mce
                        ,'postedBy' => $userId);
          $this->db->where('id', $id);
          $this->db->update('company_notes', $data);

}

but that too doesn't work.

There's no way to disable XSS filtering after Controller initialized.

Because if you enable $config['global_xss_filtering'] = TRUE; at config.php file, CodeIgniter Performs XSS filtering on $_POST, $_GET, $_COOKIE before initializing Controllers, Models and ...

So when you get access to Controller everything is done before.

While a solution is to disable $config['global_xss_filtering'] and run XSS filtering on specific variables as you need, There's a way to keep the original values (pre-filtered) somewhere for using them later:

1) Set the $config['enable_hooks'] to TRUE at application/config.php.

2) Insert the following into the application/config/hooks.php:

$hook['pre_controller'] = array(
    'class'    => '',
    'function' => 'keep_vars',
    'filename' => 'keep_vars.php',
    'filepath' => 'hooks',
    'params'   => array($_POST, $_GET)
);

Note: We are using this Hook to execute keep_vars() function before Controller initialized ( you might also want to consider using 'pre_system' key).

3) Create keep_vars.php inside application/hooks/ directory with the content below:

<?php

function keep_vars ($vars = array())
{
    if (empty($vars)) return;

    global $pre_filter;

    $pre_filter = array();

    foreach ($vars as $var) {
        $pre_filter = array_merge($pre_filter, $var);
    }
}

4) Finally, when you want to get access to a variable in $_GET or $_POST in your controller, define the global $pre_filter variable inside the method:

class Foo extends CI_Controller {

    public function __construct()
    {
        parent::__construct();
    }

    public function bar ()
    {
        // define as global
        global $pre_filter;

        // check the pre XSS filtered values
        print_r($pre_filter);

        // you can get access to pre filtered $_POST['key'] by:
        echo $pre_filter['key'];
    }
}

After reading the security documentation 3 more times, it occurs to me the security setting are applied when a new controller is invoked so using

$this->config->set_item('global_xss_filtering', FALSE);

in a controller won't work. You can however use one of CI's hooks to accomplish this.

the pre_controller hook looks like it should do the trick for you.

theres a pretty nice tutorial about halfway down the page here that shows you how to override config items. Its under the 'Serving Separate Response Formats' section.

So in your config/hooks.php file add this:

$hook['pre_controller'] = array(
   'class'     => 'the_name_of_your_controller',
   'function'  => 'config', //or the name of the function that will fire on preload
   'filename'  => 'the_file_name_of_your_controller.php',
   'filepath'  => 'hooks'                
);

THen in your controller add this function:

public function config() {
   $CI      =& get_instance();
   $CI->config->set_item( 'global_xss_filtering', FALSE );
}