Controller 初始化后无法禁用 XSS 过滤。
因为如果你启用$config['global_xss_filtering'] = TRUE;
at config.php
文件,CodeIgniter执行XSS过滤$_POST
, $_GET
, $_COOKIE
初始化之前Controllers
, Models
and ...
所以当你可以访问Controller
一切都已完成。
虽然解决方案是禁用$config['global_xss_filtering']
并根据需要对特定变量运行 XSS 过滤,有一种方法可以将原始值(预过滤的)保留在某处以供以后使用:
1)设置$config['enable_hooks']
to TRUE
at application/config.php
.
2)将以下内容插入到application/config/hooks.php
:
$hook['pre_controller'] = array(
'class' => '',
'function' => 'keep_vars',
'filename' => 'keep_vars.php',
'filepath' => 'hooks',
'params' => array($_POST, $_GET)
);
Note:我们正在使用这个Hook执行keep_vars()
控制器初始化之前的函数(您可能还想考虑使用'pre_system'
key).
3) Create keep_vars.php
inside application/hooks/
目录内容如下:
<?php
function keep_vars ($vars = array())
{
if (empty($vars)) return;
global $pre_filter;
$pre_filter = array();
foreach ($vars as $var) {
$pre_filter = array_merge($pre_filter, $var);
}
}
4)最后,当你想访问一个变量时$_GET
or $_POST
在您的控制器中,定义全局$pre_filter
方法内的变量:
class Foo extends CI_Controller {
public function __construct()
{
parent::__construct();
}
public function bar ()
{
// define as global
global $pre_filter;
// check the pre XSS filtered values
print_r($pre_filter);
// you can get access to pre filtered $_POST['key'] by:
echo $pre_filter['key'];
}
}