The xss_clean() function does not remove all HTML, it removes/replaces specific things that are considered dangerous, like <script> tags.

The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.

Someone injecting a <p> tag into your page, while maybe not desired, is not really an effective attack. You'll have to specify what you want to do with it. In many cases, you will want HTML output that has been xss_clean()ed.

It sounds like you want either htmlspecialchars() or strip_tags() (note: these two very different things). If you want to encode the HTML, you can also use CI's html_escape():

echo html_escape($this->input->post('question'));
If you want HTML output and not entities, just use the XSS filter by itself:

echo $this->input->post('question', TRUE);
echo xss_clean($user_input); (edited)

  • 1
Reply Report

Related Questions

Trending Tags