Is there any down side to adding the following to application/config/config.php?
$config['global_xss_filtering'] = TRUE;
$config['csrf_protection'] = TRUE;
I am kind of surprised that this is not the default, so I thought I would ask why it is not.
Yes, there is some downsides. With CSRF, I consider what happens when a post fails to be unacceptable. I use my own CSRF library. With global xss filtering, you are using extra system resources, sometimes for nothing. For instance, if you have a bunch of integer values that are posted, you don’t need to use xss clean on them. Some of the forms I work on have a couple hundred or more fields. Running css clean on all of them doesn’t make sense.