{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 贪生不怕死 的问题《codeigniter 2 and how to disabled xss for TinyMCE》','https://www.manongdao.com/q-362495.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
ive searched every site including stackoverflow on this issue.
I have XSS globally turned on and few pages I have use TinyMCE. On those pages I'd like the TinyMCE part to not have XSS enabled.
After reading about 40 pages, they all say to do the following:
$tiny_mce = $this->input->post('note'); // xss filtering off
or
$tiny_mce = $this->input->post('note', FALSE); // xss filtering off
I have tried both, here is my model:
public function edit($id) {
$tiny_mce = $this->input->post('note'); // xss filtering off
$userId = $this->ion_auth->get_user_id();
$data = array(
'note' => $tiny_mce
,'postedBy' => $userId);
$this->db->where('id', $id);
$this->db->update('company_notes', $data);
}
Anyone know why its not working? Any help would be great! I really dont want to globally turn XSS off, so im hoping for a " per basis" approach.
Edit I just tried
public function edit($id) {
$this->config->set_item('global_xss_filtering', FALSE);
$tiny_mce = $this->input->post('note'); // xss filtering off
$userId = $this->ion_auth->get_user_id();
$data = array(
'note' => $tiny_mce
,'postedBy' => $userId);
$this->db->where('id', $id);
$this->db->update('company_notes', $data);
}
but that too doesn't work.
After reading the security documentation 3 more times, it occurs to me the security setting are applied when a new controller is invoked so using
$this->config->set_item('global_xss_filtering', FALSE);in a controller won't work. You can however use one of CI's hooks to accomplish this.
the pre_controller hook looks like it should do the trick for you.
theres a pretty nice tutorial about halfway down the page here that shows you how to override config items. Its under the 'Serving Separate Response Formats' section.
So in your config/hooks.php file add this:
THen in your controller add this function:
There's no way to disable XSS filtering after Controller initialized.
Because if you enable
$config['global_xss_filtering'] = TRUE;atconfig.phpfile, CodeIgniter Performs XSS filtering on$_POST,$_GET,$_COOKIEbefore initializingControllers,Modelsand ...So when you get access to
Controllereverything is done before.While a solution is to disable
$config['global_xss_filtering']and run XSS filtering on specific variables as you need, There's a way to keep the original values (pre-filtered) somewhere for using them later:1) Set the
$config['enable_hooks']toTRUEatapplication/config.php.2) Insert the following into the
application/config/hooks.php:Note: We are using this
Hookto executekeep_vars()function before Controller initialized ( you might also want to consider using'pre_system'key).3) Create
keep_vars.phpinsideapplication/hooks/directory with the content below:4) Finally, when you want to get access to a variable in
$_GETor$_POSTin your controller, define the global$pre_filtervariable inside the method: