This is something I have discussed with the codeigniter developers, and they do not feel it is necessary to change:

“All global_xss_filtering does is run the Input::xss_clean() filter on user input for you automatically. It does not make assumptions about where or how that data will be used, and it would be improper to always format the content as needed for use in a form field.”

I do not feel that it is adequately documented that you need to make further alterations to input after the xss_clean, especially when it includes loading a helper file. This is not mentioned in the documentation for the input class.

At first I thought I was making undue assumptions, but a few quick injection attempts on other codeigniter run sites / projects, I realize that I am not the only one assuming.

All web developers worth anything know this, but very often even the most experienced developer makes assumptions or simple mistakes that leave a dirty little hole which is ripe for pillaging.

I recently found a hole in an application which was caused by lazy / inadequate / ill-conceived input cleansing. The developers have been notified and will surely correct the problem shortly. I will release more detail regarding this when the issue has been resolved and a fix is in place. Of course, if you are a trusted dot-comrade I can fill you in before hand as requested. For everyone else, check out:

• The Anti-Samy Project
• The ha.ckers.org XSS (Cross Site Scripting) Cheat Sheet – Esp: for filter evasion
• Join the paranoid with NoScript