CodeIgniters\' Security Class directly manipulates your Globals such as $_POST and it finds file() and file () to be a
$_POST
file()
file ()
According to the user guide, you can get rid of this by setting
$config['global_xss_filtering'] = FALSE;
Or just remove this line.
IMHO, it's a design failure to modify the $_POST array, but there you go.