Does Codeigniter input->post() remove html tags?

Question

Does using $this->input->post(); in Codeigniter, remove any html and javascript the user of the website may have entered, or do you have to use htmlspecialchars();?

Answer 1

$this->input->post() only contains post data..

You could always call $this->input->post(NULL, TRUE); as per the manual to return data filtered through the XSS filter.

You can see here exactly what's happening, is it basically re-builds the $_POST array using fetch_from_array. This invokes the security module for XSS $this->security->xss_clean($array[$index]); (if you set XSS filter to true).

If there's something that XSS filter doesn't catch, your code is exposed.

I would generally never filter my raw input data like this before it's being used, but rather only when it's about to be used, and in that specific way.

Malicious content is nearly impossible to prevent if you filter it on input, because it's designed to be run as output.

• When you're printing to an HTML document ensure your special chars are html encoded
• When calling SQL, ensure you're running parameterized queries without SQL injection exploits
• When you're making system calls, don't let them take control of your system.

As mentioned in the comments of my answer, the XSS input filter is an inadequate attempt at preventing attacks.

If in doubt, consult OWASP.

Answer 2

CodeIgniter has a security class and you can use it anytime you want. Also you can add htmlspecialchars() whenever and wherever you want.