diff --git a/application/config/config.php b/application/config/config.php
index 2ca905486..1dbf2036b 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -12,6 +12,18 @@ defined('BASEPATH') OR exit('No direct script access allowed');
 */
 $config['application_version'] = '3.0.0';
 
+/*
+|--------------------------------------------------------------------------
+| Internal to OSPOS XSS Clean
+|--------------------------------------------------------------------------
+|
+| This is to indicated whether we want XSS clean to be performed or not
+| By default it's enabled as it's assumed the installation has Internet access and needs to be protected,
+| however intranet only installations may not need this so they can set FALSE to improve performance
+|
+*/
+$config['ospos_xss_clean'] = TRUE;
+
 /*
 |--------------------------------------------------------------------------
 | Base Site URL
@@ -89,7 +101,7 @@ $config['url_suffix'] = '';
 | than english.
 |
 */
-$config['language']	= 'en';
+$config['language'] = 'en';
 
 /*
 |--------------------------------------------------------------------------
diff --git a/application/controllers/Secure_Controller.php b/application/controllers/Secure_Controller.php
index 9c588e801..2b59bd663 100644
--- a/application/controllers/Secure_Controller.php
+++ b/application/controllers/Secure_Controller.php
@@ -38,7 +38,17 @@ class Secure_Controller extends CI_Controller
 	*/
 	protected function xss_clean($str, $is_image = FALSE)
 	{
-		return $this->security->xss_clean($str, $is_image);
+		// This setting is configurable in application/config/config.php.
+		// Users can disable the XSS clean for performance reasons
+		// (cases like intranet installation with no Internet access)
+		if($this->config->item('ospos_xss_clean') == FALSE)
+		{
+			return $str;
+		}
+		else
+		{
+			return $this->security->xss_clean($str, $is_image);
+		}
 	}
 	
 	// this is the basic set of methods most OSPOS Controllers will implement