From 4e0c208f24b0755c47905e17b82854c538a0c530 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 14 Dec 2016 13:23:06 +0200
Subject: Remove 'global_xss_filtering' config setting

---
 application/config/config.php                   | 14 ----------
 system/core/Input.php                           | 32 ++++++---------------
 system/helpers/cookie_helper.php                |  3 +-
 user_guide_src/source/changelog.rst             |  1 +
 user_guide_src/source/helpers/cookie_helper.rst |  2 +-
 user_guide_src/source/libraries/input.rst       | 37 ++++++-------------------
 6 files changed, 20 insertions(+), 69 deletions(-)

diff --git a/application/config/config.php b/application/config/config.php
index 535f0f817..d37af34b7 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -396,20 +396,6 @@ $config['cookie_path']		= '/';
 $config['cookie_secure']	= FALSE;
 $config['cookie_httponly'] 	= FALSE;
 
-/*
-|--------------------------------------------------------------------------
-| Global XSS Filtering
-|--------------------------------------------------------------------------
-|
-| Determines whether the XSS filter is always active when GET, POST or
-| COOKIE data is encountered
-|
-| WARNING: This feature is DEPRECATED and currently available only
-|          for backwards compatibility purposes!
-|
-*/
-$config['global_xss_filtering'] = FALSE;
-
 /*
 |--------------------------------------------------------------------------
 | Cross Site Request Forgery
diff --git a/system/core/Input.php b/system/core/Input.php
index a6be7b517..d4f79ee68 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -57,17 +57,6 @@ class CI_Input {
 	 */
 	protected $ip_address = FALSE;
 
-	/**
-	 * Enable XSS flag
-	 *
-	 * Determines whether the XSS filter is always active when
-	 * GET, POST or COOKIE data is encountered.
-	 * Set automatically based on config setting.
-	 *
-	 * @var	bool
-	 */
-	protected $_enable_xss = FALSE;
-
 	/**
 	 * Enable CSRF flag
 	 *
@@ -119,7 +108,6 @@ class CI_Input {
 	 */
 	public function __construct()
 	{
-		$this->_enable_xss		= (config_item('global_xss_filtering') === TRUE);
 		$this->_enable_csrf		= (config_item('csrf_protection') === TRUE);
 
 		$this->security =& load_class('Security', 'core');
@@ -154,10 +142,8 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL)
+	protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = FALSE)
 	{
-		is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
 		// If $index is NULL, it means that the whole $array is requested
 		isset($index) OR $index = array_keys($array);
 
@@ -217,7 +203,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function get($index = NULL, $xss_clean = NULL)
+	public function get($index = NULL, $xss_clean = FALSE)
 	{
 		return $this->_fetch_from_array($_GET, $index, $xss_clean);
 	}
@@ -231,7 +217,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function post($index = NULL, $xss_clean = NULL)
+	public function post($index = NULL, $xss_clean = FALSE)
 	{
 		return $this->_fetch_from_array($_POST, $index, $xss_clean);
 	}
@@ -245,7 +231,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function post_get($index, $xss_clean = NULL)
+	public function post_get($index, $xss_clean = FALSE)
 	{
 		return isset($_POST[$index])
 			? $this->post($index, $xss_clean)
@@ -261,7 +247,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function get_post($index, $xss_clean = NULL)
+	public function get_post($index, $xss_clean = FALSE)
 	{
 		return isset($_GET[$index])
 			? $this->get($index, $xss_clean)
@@ -277,7 +263,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function cookie($index = NULL, $xss_clean = NULL)
+	public function cookie($index = NULL, $xss_clean = FALSE)
 	{
 		return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
 	}
@@ -291,7 +277,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function server($index, $xss_clean = NULL)
+	public function server($index, $xss_clean = FALSE)
 	{
 		return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
 	}
@@ -307,7 +293,7 @@ class CI_Input {
 	 * @param	bool	$xss_clean	Whether to apply XSS filtering
 	 * @return	mixed
 	 */
-	public function input_stream($index = NULL, $xss_clean = NULL)
+	public function input_stream($index = NULL, $xss_clean = FALSE)
 	{
 		// Prior to PHP 5.6, the input stream can only be read once,
 		// so we'll need to check if we have already done that first.
@@ -561,7 +547,7 @@ class CI_Input {
 	 *
 	 * @return	string|null	User Agent string or NULL if it doesn't exist
 	 */
-	public function user_agent($xss_clean = NULL)
+	public function user_agent($xss_clean = FALSE)
 	{
 		return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean);
 	}
diff --git a/system/helpers/cookie_helper.php b/system/helpers/cookie_helper.php
index ca4324495..f8943fde3 100644
--- a/system/helpers/cookie_helper.php
+++ b/system/helpers/cookie_helper.php
@@ -85,9 +85,8 @@ if ( ! function_exists('get_cookie'))
 	 * @param	bool
 	 * @return	mixed
 	 */
-	function get_cookie($index, $xss_clean = NULL)
+	function get_cookie($index, $xss_clean = FALSE)
 	{
-		is_bool($xss_clean) OR $xss_clean = (config_item('global_xss_filtering') === TRUE);
 		$prefix = isset($_COOKIE[$index]) ? '' : config_item('cookie_prefix');
 		return get_instance()->input->cookie($prefix.$index, $xss_clean);
 	}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index a0f91a148..1a1b0d537 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -12,6 +12,7 @@ Release Date: Not Released
    -  Changed :doc:`URI Library <libraries/uri>` to ignore the ``$config['url_suffix']``, ``$config['permitted_uri_chars']`` configuration settings for CLI requests.
    -  Removed previously deprecated ``$config['allow_get_array']``.
    -  Removed previously deprecated ``$config['standardize_newlines']``.
+   -  Removed previously deprecated ``$config['global_xss_filtering']``.
    -  Removed previously deprecated :doc:`Input Library <libraries/input>` method ``is_cli_request()`` (use :php:func:`is_cli()` instead).
    -  Removed previously deprecated :doc:`Routing Class <general/routing>` methods ``fetch_directory()``, ``fetch_class()`` and ``fetch_method()`` (use the respective class properties instead).
    -  Removed previously deprecated :doc:`Config Library <libraries/config>` method ``system_url()`` (encourages insecure practices).
diff --git a/user_guide_src/source/helpers/cookie_helper.rst b/user_guide_src/source/helpers/cookie_helper.rst
index c9d2f419c..71e40a33c 100644
--- a/user_guide_src/source/helpers/cookie_helper.rst
+++ b/user_guide_src/source/helpers/cookie_helper.rst
@@ -42,7 +42,7 @@ The following functions are available:
 	a description of its use, as this function is an alias for
 	``CI_Input::set_cookie()``.
 
-.. php:function:: get_cookie($index[, $xss_clean = NULL])
+.. php:function:: get_cookie($index[, $xss_clean = FALSE])
 
 	:param	string	$index: Cookie name
 	:param	bool	$xss_clean: Whether to apply XSS filtering to the returned value
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 8b816a567..1961e3e57 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -32,26 +32,6 @@ following:
    turned on.
 -  Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric
    (and a few other) characters.
--  Provides XSS (Cross-site Scripting Hacks) filtering. This can be
-   enabled globally, or upon request.
-
-XSS Filtering
-=============
-
-The Input class has the ability to filter input automatically to prevent
-cross-site scripting attacks. If you want the filter to run
-automatically every time it encounters POST or COOKIE data you can
-enable it by opening your *application/config/config.php* file and setting
-this::
-
-	$config['global_xss_filtering'] = TRUE;
-
-Please refer to the :doc:`Security class <security>` documentation for
-information on using XSS Filtering in your application.
-
-.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept
-	solely for backwards-compatibility purposes. XSS escaping should
-	be performed on *output*, not *input*!
 
 *******************
 Accessing form data
@@ -126,7 +106,7 @@ Class Reference
 		
 		The property can be read multiple times.
 
-	.. php:method:: post([$index = NULL[, $xss_clean = NULL]])
+	.. php:method:: post([$index = NULL[, $xss_clean = FALSE]])
 
 		:param	mixed	$index: POST parameter name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -143,7 +123,6 @@ Class Reference
 
 		The second optional parameter lets you run the data through the XSS
 		filter. It's enabled by setting the second parameter to boolean TRUE
-		or by setting your ``$config['global_xss_filtering']`` to TRUE.
 		::
 
 			$this->input->post('some_data', TRUE);
@@ -169,7 +148,7 @@ Class Reference
 
 			$this->input->post(array('field1', 'field2'), TRUE);
 
-	.. php:method:: get([$index = NULL[, $xss_clean = NULL]])
+	.. php:method:: get([$index = NULL[, $xss_clean = FALSE]])
 
 		:param	mixed	$index: GET parameter name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -202,7 +181,7 @@ Class Reference
 
 			$this->input->get(array('field1', 'field2'), TRUE);
 
-	.. php:method:: post_get($index[, $xss_clean = NULL])
+	.. php:method:: post_get($index[, $xss_clean = FALSE])
 
 		:param	string	$index: POST/GET parameter name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -215,7 +194,7 @@ Class Reference
 
 			$this->input->post_get('some_data', TRUE);
 
-	.. php:method:: get_post($index[, $xss_clean = NULL])
+	.. php:method:: get_post($index[, $xss_clean = FALSE])
 
 		:param	string	$index: GET/POST parameter name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -230,7 +209,7 @@ Class Reference
 		.. note:: This method used to act EXACTLY like ``post_get()``, but it's
 			behavior has changed in CodeIgniter 3.0.
 
-	.. php:method:: cookie([$index = NULL[, $xss_clean = NULL]])
+	.. php:method:: cookie([$index = NULL[, $xss_clean = FALSE]])
 
 		:param	mixed	$index: COOKIE name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -253,7 +232,7 @@ Class Reference
 			function :php:func:`get_cookie()`, this method does NOT prepend
 			your configured ``$config['cookie_prefix']`` value.
 
-	.. php:method:: server($index[, $xss_clean = NULL])
+	.. php:method:: server($index[, $xss_clean = FALSE])
 
 		:param	mixed	$index: Value name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -271,7 +250,7 @@ Class Reference
 
 			$this->input->server(array('SERVER_PROTOCOL', 'REQUEST_URI'));
 
-	.. php:method:: input_stream([$index = NULL[, $xss_clean = NULL]])
+	.. php:method:: input_stream([$index = NULL[, $xss_clean = FALSE]])
 
 		:param	mixed	$index: Key name
 		:param	bool	$xss_clean: Whether to apply XSS filtering
@@ -386,7 +365,7 @@ Class Reference
 		Accepts an optional second string parameter of 'ipv4' or 'ipv6' to specify
 		an IP format. The default checks for both formats.
 
-	.. php:method:: user_agent([$xss_clean = NULL])
+	.. php:method:: user_agent([$xss_clean = FALSE])
 
 		:returns:	User agent string or NULL if not set
 		:param	bool	$xss_clean: Whether to apply XSS filtering
-- 
cgit v1.2.3-24-g4f1b