#2049 currently includes code to fix the bypass at the top of #1705, "xss_clean() doesn't."
I maintain that both the xss_clean() API and implementation (let alone the docs) are completely broken and must be removed, as described in #1705.
Here's the next bypass, if anyone is interested:
I agree - the whole design of xss_clean() doesn't allow it to be effective. However, I'm not that familiar with it either, so the most I can do is to wait for a proper alternative to become available in a pull request (at the very least, I don't think that EllisLab would be happy to have xss_clean() removed without another solution).
On a side note - I assume that you're opening new issues in order to gain more attention, but that's not really helping. Please just add further info as a comment on #1705 - it's really hard to follow otherwise, and the issue titles aren't really that descriptive anyway.
Yes, it was partly to make a point. It does mean there's something to refer to individual problems, if that's how the active developers wished to treat them. (And to give Brian credit for patching :).
If you're happy consider #1705 as a general issue which wants a general fix, that's fine. I don't know that it'll make it much easier to track, but I certainly don't wish to spam you without permission.
It's just that xss_clean() doesn't really doesn't say anything other than "this is related to xss_clean()". We have to click on those issues in order to see what they actually are and it's not like everybody's excited to do that - it seems to be just us two at this point.
If it's nicely formatted - it would be way more useful in one place. :)
Three of us.. ;)
I think that a blacklist based method will always be further behind the curve than a whitelist method. I feel that xss_clean() can be redone using a tested (and open source) whitelist method like html purifier (http://htmlpurifier.org/comparison).