XSS stands for cross-site scripting. Codeigniter contains a cross-site scripting hack prevention filter. The XSS filter targets methods to trigger JavaScript or other types of suspicious code. If it detects anything, it converts the data to character entities.
XSS filtering uses xss_clean() method to filer data.
$data = $this->security->xss_clean($data);
There is an optional second parameter, is_image, which is used to test images for XSS attacks. When this parameter is set to TRUE, it doesn't return an altered string. Instead, it returns TRUE if an image is safe and FALSE if it contains malicious information.
if ($this->security->xss_clean($file, TRUE) === FALSE)
{
//file failed in xss test
}​
