Codeigniter adds semi-colon when you use an ampersand in an input field

When a user had an ampersand character in their password they couldn't login to the website. This took me several hours to figure out what was happening.

Using codeigniter 2.02 on php 5.3.

In the config file you have the option of turning XSS Filtering on site wide, which on the outset looks like a good idea. However it has some side effects that can cause a few problems.

application/config/config.php

$config['global_xss_filtering'] = TRUE;

I've been implementing a new login system which uses

$username = htmlspecialchars($this->input->post('username'));

$password = hash('sha512', $salt . $this->input->post('password') . $pepper);

Now here comes the problem.

The input form goes through the form_validation->run() to check that the fields are not empty or too long etc

but if the password contains the ampersand such as

Tyu9&fgQnb

then the output becomes

Tyu9&fgQnb;

(note the semi-colon)

I for one want to encourage my users to have strong passwords.

The answer is of course not to have XSS on site wide.

$config['global_xss_filtering'] = FALSE;

and add xss_clean on a individual basis in the validation rules. It's probably important to add that I normally add strip_tags to these input types.

$this->form_validation->set_rules('username', 'Username', 'required|strip_tags|max_length[20]');

$this->form_validation->set_rules('password', 'Password', 'required|strip_tags|max_length[20]');