Controller 初始化后无法禁用 XSS 过滤。
因为如果你启用$config['global_xss_filtering'] = TRUE; at config.php文件,CodeIgniter执行XSS过滤$_POST, $_GET, $_COOKIE初始化之前Controllers, Models and ...
所以当你可以访问Controller一切都已完成。
虽然解决方案是禁用$config['global_xss_filtering']并根据需要对特定变量运行 XSS 过滤,有一种方法可以将原始值(预过滤的)保留在某处以供以后使用:
1)设置$config['enable_hooks'] to TRUE at application/config.php.
2)将以下内容插入到application/config/hooks.php:
$hook['pre_controller'] = array(
'class' => '',
'function' => 'keep_vars',
'filename' => 'keep_vars.php',
'filepath' => 'hooks',
'params' => array($_POST, $_GET)
);
Note:我们正在使用这个Hook执行keep_vars()控制器初始化之前的函数(您可能还想考虑使用'pre_system' key).
3) Create keep_vars.php inside application/hooks/目录内容如下:
<?php
function keep_vars ($vars = array())
{
if (empty($vars)) return;
global $pre_filter;
$pre_filter = array();
foreach ($vars as $var) {
$pre_filter = array_merge($pre_filter, $var);
}
}
4)最后,当你想访问一个变量时$_GET or $_POST在您的控制器中,定义全局$pre_filter方法内的变量:
class Foo extends CI_Controller {
public function __construct()
{
parent::__construct();
}
public function bar ()
{
// define as global
global $pre_filter;
// check the pre XSS filtered values
print_r($pre_filter);
// you can get access to pre filtered $_POST['key'] by:
echo $pre_filter['key'];
}
}
