Quantify Cyber Risk Now

header ads

XSS Prevention in Codeigniter | Lucideus Research

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since we may not need it in all cases.


The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

In codeigniter we can filter data one by one through the XSS or malicious scripts we can use this function:

$data = $this->security->xss_clean($data);

$data="<script>alert(‘XSS Injection’)</script>";
echo $this->security->xss_clean($data);

[removed]alert('XSS Injection')[removed]

This function converts the malicious scripts into [removed] from the GET or POST request. However, In some of the cases we don't want to remove any of the string instead we want to show or display same string to the end-user. In such cases, instead of filtering out the malicious code we can convert into character entities. Codeigniter provide a common_helper function html_escape() to convert any data Type (array, string, boolean) into character entities form.

$data="<script>alert("XSS Injection")</script>";
echo html_escape($data);

&lt;script&gt;alert(&#039;XSS Injection&#039;)&lt;/script&gt;gt;

By using this approach, we can disarm XSS attacks keeping same html structure in the view form.

There is an another approach in codeigniter which filters automatically every time it encounters POST or COOKIE data. we can enable it by opening our application/config/config.php file and setting this:

$config['global_xss_filtering'] = TRUE;

The above approaches work same as $this->security->xss_clean to filter out malicious script from the string. However from Codeigniter 3 version, this approach is deprecated i.e not been effective for XSS prevention and it is highly advised not to depend on this for XSS prevention.


The codeigniter XSS prevention is effective but it requires developer thinking into choose correct method in all the situations. A single un-sanitised parameter can leads into a XSS attack onto the web-site.

There is a custom way in which we can tweek into codeigniter core library functions of fetching GET or POST data and sanitizes it from its request.

By default, we fetch any data from the post request using $this->input->post(‘param’). Now if we tweek the function post() in core library Input of codeigniter we can actually sanitize the post data.

We can modify post function from system/core/Input.php

In the above function, instead of returning raw $_POST request we can return the sanitized $_POST request. This function converts all the parameters present in the POST request into character entities form.

Now we can easily use $this->input->post(‘param’) for any parameter and by default it is sanitized from XSS attacks. Since this parameter is now character entities from we can directly load it into view files without any fear of XSS.

However, in any scenario we don't want sanitized data from post we can use it from raw $_POST request.

But in such cases, we need to prevent it from XSS manually before loading it into view files.

The codeigniter is great MVC framework to develop large scale web applications. But for a large web application, sometimes it is tough to prevent application from XSS attacks on every page. For such scenarios instead of manually xss_clean all the request parameters we can tweek codeigniter core library and modify request handling functions to return a XSS sanitized data.

By such custom functions, we can prevent XSS attacks globally. However, If we still want use raw data we can fetch it from raw $_POST request anytime. This kind of custom approaches reduce work overhead and prevent web application from XSS.

Post a comment