Although not enabled by default, you can configure Fuel to filter all input ($_GET, $_POST and $_COOKIE) on every page request. To do so, configure the functions or methods to be used to filter them in the application's config/config.php file.
/**
* Security settings
*/
'security' => array(
'input_filter' => array(),
)
Anything that is callable in PHP and accepts a single value as parameter can be used for filtering purposes. This includes PHP functions like 'htmlentities', static class methods like '\\Security::xss_clean' or even object methods which are defined as array($object, 'method'). If you use an object method, make sure the object is available before Fuel is initialized, as input filtering happens very early in the request process.
