CodeIgniter is brilliant but I'm using it to develop a site where users need to be able to share their code for websites. Unfortunately, CodeIgniter has been doing the "right" thing by removing <script> tags from my user's inputs into the database, so when it's returned data looks like this:
[removed] User's data [removed]
However, I need my site to DISPLAY script tags but obviously not PARSE them. How can I get CodeIgniter or PHP to return <script> tags, but still sanitise them for the database and return them without them executing?
Thanks!
Jack
EDIT: By the way, it's not an option to use stuff like Markdown, everything has to output to copy-pastable code that could work with no modification somewhere else
So, you want script tags displaying, but you don't want them rendered by the browser?
If that's the case, then I would use a simple htmlspecialchars() function to parse the code and convert all of the <script> tags to <script>.
I believe a somewhat equivalent function in CodeIgniter is form_prep(), from the Form helper, but how it behaves outside of form elements I don't know. So the htmlspecialchars() function should do just what you are asking.
I agree with Tom, above, in that you will need to disable global XSS filtering if you don't want your form elements having script tags stripped before they are saved.