CodeIgniter 2.1 - 'xss_clean()' Filter Security Bypass

Author: Krzysztof Kotowicz
type: webapps
platform: php
port: 
date_added: 2012-07-19 
date_updated: 2015-07-08 
verified: 1 
codes: CVE-2012-1915;OSVDB-84453 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/54620/info

CodeIgniter is prone to a security-bypass vulnerability.

An attacker can exploit this issue to bypass XSS filter protections and perform cross-site scripting attacks.

CodeIgniter versions prior to 2.1.2 are vulnerable.

Build an application on CodeIgniter 2.1.0:

// application/controllers/xssdemo.php
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Xssdemo extends CI_Controller {

        public function index() {
            $data['xss'] =
$this->security->xss_clean($this->input->post('xss'));
            $this->load->view('xssdemo', $data);
        }
}

// application/views/xssdemo.php
<form method=post>
                <textarea name=xss><?php echo htmlspecialchars($xss);
?>&lt;/textarea&gt;
                <input type=submit />
                </form>
        <p>XSS:
        <hr />
    <?php echo $xss ?>

Launch http://app-uri/index.php/xssdemo and try above vectors.