[ci skip] Formally deprecate 'global_xss_filtering'

narfbg · narfbg · commit 9187ed3516ba · 2015-02-28T19:54:17.000+02:00
diff --git a/application/config/config.php b/application/config/config.php
@@ -404,6 +404,9 @@
 | Determines whether the XSS filter is always active when GET, POST or
 | COOKIE data is encountered
 |
+| WARNING: This feature is DEPRECATED and currently available only
+|          for backwards compatibility purposes!
+|
 */
 $config['global_xss_filtering'] = FALSE;
 
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
@@ -480,6 +480,7 @@ Release Date: Not Released
 
    -  :doc:`Input Library <libraries/input>` changes include:
 
+      -  Deprecated the ``$config['global_xss_filtering']`` setting.
       -  Added ``method()`` to retrieve ``$_SERVER['REQUEST_METHOD']``.
       -  Added support for arrays and network addresses (e.g. 192.168.1.1/24) for use with the *proxy_ips* setting.
       -  Added method ``input_stream()`` to aid in using **php://input** stream data such as one passed via PUT, DELETE and PATCH requests.
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
@@ -551,6 +551,22 @@ PHP's native ``hash()`` function. It is deprecated and scheduled for removal in
 .. note:: This function is still available, but you're strongly encouraged to remove its usage sooner
 	rather than later.
 
+The $config['global_xss_filtering'] setting
+===========================================
+
+As already explained above, XSS filtering should not be done on input data,
+but on output instead. Therefore, the ``$config['global_xss_filtering']``,
+which automatically filters *input* data, is considered a bad practice and
+is now deprecated.
+
+Instead, you should manually escape any user-provided data via the
+:php:func:`xss_clean()` function when you need to output it, or use a
+library like `HTML Purifier <http://htmlpurifier.org/>`_ that does that
+for you.
+
+.. note:: The setting is still available, but you're strongly encouraged to
+	remove its usage sooner rather than later.
+
 File helper read_file()
 =======================
 
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
@@ -53,6 +53,10 @@ this::
 Please refer to the :doc:`Security class <security>` documentation for
 information on using XSS Filtering in your application.
 
+.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept
+	solely for backwards-compatibility purposes. XSS escaping should
+	be performed on *output*, not *input*!
+
 *******************
 Accessing form data
 *******************

Original file line number	Diff line number	Diff line change
`@@ -404,6 +404,9 @@`
`404`	`404`	`\| Determines whether the XSS filter is always active when GET, POST or`
`405`	`405`	`\| COOKIE data is encountered`
`406`	`406`	`\|`
	`407`	`+\| WARNING: This feature is DEPRECATED and currently available only`
	`408`	`+\| for backwards compatibility purposes!`
	`409`	`+\|`
`407`	`410`	`*/`
`408`	`411`	`$config['global_xss_filtering'] = FALSE;`
`409`	`412`