|
My Project
|
Public Member Functions | |
| __construct () | |
| csrf_verify () | |
| csrf_set_cookie () | |
| csrf_show_error () | |
| get_csrf_hash () | |
| get_csrf_token_name () | |
| xss_clean ($str, $is_image=FALSE) | |
| xss_hash () | |
| entity_decode ($str, $charset='UTF-8') | |
| sanitize_filename ($str, $relative_path=FALSE) | |
Protected Member Functions | |
| _compact_exploded_words ($matches) | |
| _remove_evil_attributes ($str, $is_image) | |
| _sanitize_naughty_html ($matches) | |
| _js_link_removal ($match) | |
| _js_img_removal ($match) | |
| _convert_attribute ($match) | |
| _filter_attributes ($str) | |
| _decode_entity ($match) | |
| _validate_entities ($str) | |
| _do_never_allowed ($str) | |
| _csrf_set_hash () | |
Protected Attributes | |
| $_xss_hash = '' | |
| $_csrf_hash = '' | |
| $_csrf_expire = 7200 | |
| $_csrf_token_name = 'ci_csrf_token' | |
| $_csrf_cookie_name = 'ci_csrf_token' | |
| $_never_allowed_str | |
| $_never_allowed_regex | |
| __construct | ( | ) |
Constructor
|
protected |
Compact Exploded Words
Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t
| type |
|
protected |
Attribute Conversion
Used as a callback for XSS Clean
| array |
|
protected |
Set Cross Site Request Forgery Protection Cookie
|
protected |
HTML Entity Decode Callback
Used as a callback for XSS Clean
| array |
|
protected |
|
protected |
Filter Attributes
Filters tag attributes for consistency and safety
| string |
|
protected |
JS Image Removal
Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings
| array |
|
protected |
JS Link Removal
Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings
| array |
|
protected |
Sanitize Naughty HTML
Callback function for xss_clean() to remove naughty HTML elements
| array |
|
protected |
| csrf_set_cookie | ( | ) |
Set Cross Site Request Forgery Protection Cookie
| csrf_show_error | ( | ) |
Show CSRF Error
| csrf_verify | ( | ) |
Verify Cross Site Request Forgery Protection
| entity_decode | ( | $str, | |
$charset = 'UTF-8' |
|||
| ) |
HTML Entities Decode
This function is a replacement for html_entity_decode()
The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
| string | |
| string |
| get_csrf_hash | ( | ) |
Get CSRF Hash
Getter Method
| get_csrf_token_name | ( | ) |
Get CSRF Token Name
Getter Method
| sanitize_filename | ( | $str, | |
$relative_path = FALSE |
|||
| ) |
Filename Security
| string | |
| bool |
| xss_clean | ( | $str, | |
$is_image = FALSE |
|||
| ) |
XSS Clean
Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.
Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.
This function was based in part on some code and ideas I got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention
To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html
| mixed | string or array |
| bool |
| xss_hash | ( | ) |
Random Hash for protecting URLs
|
protected |
|
protected |
1.8.4
