\CI_Security

__construct()

__construct() : void

Constructor

csrf_verify()

csrf_verify() : object

Verify Cross Site Request Forgery Protection

Returns

csrf_set_cookie()

csrf_set_cookie() : object

Set Cross Site Request Forgery Protection Cookie

Returns

csrf_show_error()

csrf_show_error() : void

Show CSRF Error

get_csrf_hash()

get_csrf_hash() : string

Get CSRF Hash

Getter Method

Returns

self::_csrf_hash

get_csrf_token_name()

get_csrf_token_name() : string

Get CSRF Token Name

Getter Method

Returns

self::csrf_token_name

xss_clean()

xss_clean(  $str,   $is_image = FALSE) : string

XSS Clean

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

This function was based in part on some code and ideas I got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html

Parameters

Returns

xss_hash()

xss_hash() : string

Random Hash for protecting URLs

Returns

entity_decode()

entity_decode(  $str,   $charset = 'UTF-8') : string

HTML Entities Decode

This function is a replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

Parameters

Returns

sanitize_filename()

sanitize_filename(  $str,   $relative_path = FALSE) : string

Filename Security

Parameters

Returns

_compact_exploded_words()

_compact_exploded_words(  $matches) : \type

Compact Exploded Words

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t

Parameters

Returns

_remove_evil_attributes()

_remove_evil_attributes(  $str,   $is_image) 

Parameters

_sanitize_naughty_html()

_sanitize_naughty_html(  $matches) : string

Sanitize Naughty HTML

Callback function for xss_clean() to remove naughty HTML elements

Parameters

Returns

_js_link_removal()

_js_link_removal(  $match) : string

JS Link Removal

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings

Parameters

Returns

_js_img_removal()

_js_img_removal(  $match) : string

JS Image Removal

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings

Parameters

Returns

_convert_attribute()

_convert_attribute(  $match) : string

Attribute Conversion

Used as a callback for XSS Clean

Parameters

Returns

_filter_attributes()

_filter_attributes(  $str) : string

Filter Attributes

Filters tag attributes for consistency and safety

Parameters

Returns

_decode_entity()

_decode_entity(  $match) : string

HTML Entity Decode Callback

Used as a callback for XSS Clean

Parameters

Returns

_validate_entities()

_validate_entities(  $str) : string

Validate URL entities

Called by xss_clean()

Parameters

Returns

_do_never_allowed()

_do_never_allowed(  $str) : string

Do Never Allowed

A utility function for xss_clean()

Parameters

Returns

_csrf_set_hash()

_csrf_set_hash() : string

Set Cross Site Request Forgery Protection Cookie

Returns