From 04fdbfb187884bca62efbb65fc031afbf68459ad Mon Sep 17 00:00:00 2001 From: FrancescoUK Date: Tue, 21 Jun 2016 18:31:39 +0100 Subject: [PATCH] Made ospos XSS clean optional and configurable from application/config/config.php (#39) Performance improves if set to FALSE but should be only for pure stand alone and isolated from Internet cases. --- application/config/config.php | 14 +++++++++++++- application/controllers/Secure_Controller.php | 12 +++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/application/config/config.php b/application/config/config.php index 2ca905486..1dbf2036b 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -12,6 +12,18 @@ defined('BASEPATH') OR exit('No direct script access allowed'); */ $config['application_version'] = '3.0.0'; +/* +|-------------------------------------------------------------------------- +| Internal to OSPOS XSS Clean +|-------------------------------------------------------------------------- +| +| This is to indicated whether we want XSS clean to be performed or not +| By default it's enabled as it's assumed the installation has Internet access and needs to be protected, +| however intranet only installations may not need this so they can set FALSE to improve performance +| +*/ +$config['ospos_xss_clean'] = TRUE; + /* |-------------------------------------------------------------------------- | Base Site URL @@ -89,7 +101,7 @@ $config['url_suffix'] = ''; | than english. | */ -$config['language'] = 'en'; +$config['language'] = 'en'; /* |-------------------------------------------------------------------------- diff --git a/application/controllers/Secure_Controller.php b/application/controllers/Secure_Controller.php index 9c588e801..2b59bd663 100644 --- a/application/controllers/Secure_Controller.php +++ b/application/controllers/Secure_Controller.php @@ -38,7 +38,17 @@ class Secure_Controller extends CI_Controller */ protected function xss_clean($str, $is_image = FALSE) { - return $this->security->xss_clean($str, $is_image); + // This setting is configurable in application/config/config.php. + // Users can disable the XSS clean for performance reasons + // (cases like intranet installation with no Internet access) + if($this->config->item('ospos_xss_clean') == FALSE) + { + return $str; + } + else + { + return $this->security->xss_clean($str, $is_image); + } } // this is the basic set of methods most OSPOS Controllers will implement