PHP Class XSS_Clean, Zebra_Form

@package XSS_Clean
Author: EllisLab Dev Team @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/) @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) @link http://codeigniter.com
Show file Open project: stefangabos/zebra_form

Public Properties

Property Type Description
$_never_allowed_regex array List of never allowed regex replacement
$_never_allowed_str array List of never allowed strings
$_xss_hash string Random Hash for protecting URLs

Public Methods

Method Description
_compact_exploded_words ( $matches ) : string Compact Exploded Words
_convert_attribute ( $match ) : string Attribute Conversion
_decode_entity ( $match ) : string HTML Entity Decode Callback
_do_never_allowed ( $str ) : string Do Never Allowed
_filter_attributes ( $str ) : string Filter Attributes
_js_img_removal ( $match ) : string JS Image Removal
_js_link_removal ( $match ) : string JS Link Removal
_remove_evil_attributes ( string $str, boolean $is_image ) : string Remove Evil HTML Attributes (like event handlers and style)
_remove_invisible_characters ( $str ) : string Remove Invisible Characters
_sanitize_naughty_html ( $matches ) : string Sanitize Naughty HTML
_validate_entities ( $str ) : string Validate URL entities
entity_decode ( $str, $charset = NULL ) : string HTML Entities Decode
sanitize ( string $str, $rawurldecode = true ) : string Sanitizes submitted data so that Cross Site Scripting Hacks can be prevented.
xss_hash ( ) : string Random Hash for protecting URLs

Method Details

_compact_exploded_words() public method

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t
public _compact_exploded_words ( $matches ) : string
return string @access private

_convert_attribute() public method

Used as a callback for XSS Clean
public _convert_attribute ( $match ) : string
return string @access private

_decode_entity() public method

Used as a callback for XSS Clean
public _decode_entity ( $match ) : string
return string @access private

_do_never_allowed() public method

A utility function for xss_clean()
public _do_never_allowed ( $str ) : string
return string @access private

_filter_attributes() public method

Filters tag attributes for consistency and safety
public _filter_attributes ( $str ) : string
return string @access private

_js_img_removal() public method

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings
public _js_img_removal ( $match ) : string
return string @access private

_js_link_removal() public method

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings
public _js_link_removal ( $match ) : string
return string @access private

_remove_evil_attributes() public method

It removes the evil attribute and either: - Everything up until a space For example, everything between the pipes: - Everything inside the quotes For example, everything between the pipes:
public _remove_evil_attributes ( string $str, boolean $is_image ) : string
$str string The string to check
$is_image boolean TRUE if this is an image
return string The string with the evil attributes removed @access private

_remove_invisible_characters() public method

This prevents sandwiching null characters between ascii characters, like Java\0script.
public _remove_invisible_characters ( $str ) : string
return string

_sanitize_naughty_html() public method

Callback function for xss_clean() to remove naughty HTML elements
public _sanitize_naughty_html ( $matches ) : string
return string @access private

_validate_entities() public method

Called by xss_clean()
public _validate_entities ( $str ) : string
return string @access private

entity_decode() public method

This function is a replacement for html_entity_decode() The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
public entity_decode ( $str, $charset = NULL ) : string
return string @access private

sanitize() public method

This class is taken from the {@link http://codeigniter.com/ CodeIgniter PHP Framework}, version 2.1.2. This method is automatically run for each control when calling {@link Zebra_Form::validate() validate()}, unless specifically disabled by {@link Zebra_Form_Control::disable_xss_filters() disable_xss_filters()})! Following is the original documentation of the class, as found in CodeIgniter: Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. This function was based in part on some code and ideas I got from Bitflux: {@link http://blog.bitflux.ch/wiki/XSS_Prevention} To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: {@link http://ha.ckers.org/xss.html}
public sanitize ( string $str, $rawurldecode = true ) : string
$str string String to be filtered @return string Returns filtered string
return string

xss_hash() public method

Random Hash for protecting URLs
public xss_hash ( ) : string
return string @access private

Property Details

$_never_allowed_regex public property

List of never allowed regex replacement
public array $_never_allowed_regex
return array

$_never_allowed_str public property

List of never allowed strings
public array $_never_allowed_str
return array

$_xss_hash public property

Random Hash for protecting URLs
public string $_xss_hash
return string