If you are a codeigniter user please use caution when outputting any user input into your views, even after it has been passed through xss_clean, or you have global xss filtering on. This will not prepare output for form field use. In order to safely output user input in a form field, you will need to load the form helper class as well and use the form_prep() function. The form_prep function is not available in the input class.

This is something I have discussed with the codeigniter developers, and they do not feel it is necessary to change:

“All global_xss_filtering does is run the Input::xss_clean() filter on user input for you automatically. It does not make assumptions about where or how that data will be used, and it would be improper to always format the content as needed for use in a form field.”

I do not feel that it is adequately documented that you need to make further alterations to input after the xss_clean, especially when it includes loading a helper file. This is not mentioned in the documentation for the input class.

At first I thought I was making undue assumptions, but a few quick injection attempts on other codeigniter run sites / projects, I realize that I am not the only one assuming.