XSS Filtering in codeigniter

Question

I just want to ask because I'm currently new in codeginiter and based on the documentation shown on XSS Filtering, it says that:

By default it does not run globally since it requires a bit of processing overhead, 
and since you may not need it in all cases.

What this actually means? Because I setup xss filtering globally thru config.php:

$config['global_xss_filtering'] = TRUE;

What does the documentation means on the downside on doing the above instead of doing this?

$this->security->xss_clean()

Answer 1

xss_clean() is an extensive, and is also silly. 90% of this function does nothing to prevent xss. Such as looking for the word alert but not document.cookie. No hacker is going to use alert in their exploit, they are going to hijack the cookie with xss or read a CSRF token to make an XHR.

However running htmlentities() or htmlspecialchars() with it is just nothing but redundant. A case where xss_clean() fixes the issue and htmlentities($text, ENT_COMPAT, 'UTF-8') fails is the following:

<?php
print "<img src='$var'>";
?>

A simple poc is:

 http://localhost/xss.php?var=http://domain/some_image.gif'%20onload=alert(/xss/)

This will add the onload= event handler to the image tag. A method of stoppipng this form of xss is htmlspecialchars($var,ENT_QUOTES); or in this case xss_clean() will also prevent this.

However, quoting from the xss_clean() documentation:

Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

That being said, XSS is an output problem not a input problem. For instance this function cannot take into account that the variable is already within a <script> tag or event handler. It also doesn't stop DOM Based XSS. You need to take into consideration how you are using the data in order to use the best function. Filtering all the data on input is a bad practice. Not only is it insecure but it also corrupts data which can make comparisons difficult.