CodeIgniter santizing POST values

Question

I have a text area in which I am trying to add youtube embed code and other HTML tags. $this->input->post is converting the <iframe> tags to < and > respectively but not the <h1> and <h2> tags.

Any idea how I can store these values?

Answer 1

In this case, use $_POST instead of $this->input->post to get the original text area value, and then use HTML Purifier to clean the contents without losing the <iframe> tag you want.

You will need to check HTML Purifier documentation for details. Please, check this specific documentation page about "Embedding YouTube Videos".

Answer 2

If you only have a small number of forms that you need to allow iframes in, I would just write a function to restore the iframe (while validating that it's a valid YouTube embed code).

You can also turn off global_xss_filtering in your config (or not implement it if you're using it), but that's not the ideal solution (turning off all of your security to get one thing to work is generally a horrible idea).

$config['global_xss_filtering'] = FALSE;

To see all of the tags that get filtered out, look in the CI_Input class and search for the '$naughty' variable. You'll see a pipe-delimited list (don't change anything in this class).

Answer 3

Or you could either just ask for the video ID code or parse the code from what you are getting.

This would let you use both the URL or the embed code. Also storing just the ID takes less space in you database, and you could write a helper function to output the embed code/url.

Answer 4

Why don't you avoid CIs auto sanitizing and use something like htmlspecialchars($_POST['var']); ? Or make a helper function for sanitizing youtube urls...