PHP Class XSS_Clean, Zebra_Form

@package XSS_Clean
Author: EllisLab Dev Team @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/) @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) @link http://codeigniter.com
Afficher le fichier Open project: stefangabos/zebra_form

Méthodes publiques

Свойство Type Description
$_never_allowed_regex array List of never allowed regex replacement
$_never_allowed_str array List of never allowed strings
$_xss_hash string Random Hash for protecting URLs

Méthodes publiques

Méthode Description
_compact_exploded_words ( $matches ) : string Compact Exploded Words
_convert_attribute ( $match ) : string Attribute Conversion
_decode_entity ( $match ) : string HTML Entity Decode Callback
_do_never_allowed ( $str ) : string Do Never Allowed
_filter_attributes ( $str ) : string Filter Attributes
_js_img_removal ( $match ) : string JS Image Removal
_js_link_removal ( $match ) : string JS Link Removal
_remove_evil_attributes ( string $str, boolean $is_image ) : string Remove Evil HTML Attributes (like event handlers and style)
_remove_invisible_characters ( $str ) : string Remove Invisible Characters
_sanitize_naughty_html ( $matches ) : string Sanitize Naughty HTML
_validate_entities ( $str ) : string Validate URL entities
entity_decode ( $str, $charset = NULL ) : string HTML Entities Decode
sanitize ( string $str, $rawurldecode = true ) : string Sanitizes submitted data so that Cross Site Scripting Hacks can be prevented.
xss_hash ( ) : string Random Hash for protecting URLs

Method Details

_compact_exploded_words() public méthode

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t
public _compact_exploded_words ( $matches ) : string
Résultat string @access private

_convert_attribute() public méthode

Used as a callback for XSS Clean
public _convert_attribute ( $match ) : string
Résultat string @access private

_decode_entity() public méthode

Used as a callback for XSS Clean
public _decode_entity ( $match ) : string
Résultat string @access private

_do_never_allowed() public méthode

A utility function for xss_clean()
public _do_never_allowed ( $str ) : string
Résultat string @access private

_filter_attributes() public méthode

Filters tag attributes for consistency and safety
public _filter_attributes ( $str ) : string
Résultat string @access private

_js_img_removal() public méthode

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings
public _js_img_removal ( $match ) : string
Résultat string @access private

_js_link_removal() public méthode

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings
public _js_link_removal ( $match ) : string
Résultat string @access private

_remove_evil_attributes() public méthode

It removes the evil attribute and either: - Everything up until a space For example, everything between the pipes: - Everything inside the quotes For example, everything between the pipes:
public _remove_evil_attributes ( string $str, boolean $is_image ) : string
$str string The string to check
$is_image boolean TRUE if this is an image
Résultat string The string with the evil attributes removed @access private

_remove_invisible_characters() public méthode

This prevents sandwiching null characters between ascii characters, like Java\0script.
public _remove_invisible_characters ( $str ) : string
Résultat string

_sanitize_naughty_html() public méthode

Callback function for xss_clean() to remove naughty HTML elements
public _sanitize_naughty_html ( $matches ) : string
Résultat string @access private

_validate_entities() public méthode

Called by xss_clean()
public _validate_entities ( $str ) : string
Résultat string @access private

entity_decode() public méthode

This function is a replacement for html_entity_decode() The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
public entity_decode ( $str, $charset = NULL ) : string
Résultat string @access private

sanitize() public méthode

This class is taken from the {@link http://codeigniter.com/ CodeIgniter PHP Framework}, version 2.1.2. This method is automatically run for each control when calling {@link Zebra_Form::validate() validate()}, unless specifically disabled by {@link Zebra_Form_Control::disable_xss_filters() disable_xss_filters()})! Following is the original documentation of the class, as found in CodeIgniter: Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. This function was based in part on some code and ideas I got from Bitflux: {@link http://blog.bitflux.ch/wiki/XSS_Prevention} To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: {@link http://ha.ckers.org/xss.html}
public sanitize ( string $str, $rawurldecode = true ) : string
$str string String to be filtered @return string Returns filtered string
Résultat string

xss_hash() public méthode

Random Hash for protecting URLs
public xss_hash ( ) : string
Résultat string @access private

Property Details

$_never_allowed_regex public_oe property

List of never allowed regex replacement
public array $_never_allowed_regex
Résultat array

$_never_allowed_str public_oe property

List of never allowed strings
public array $_never_allowed_str
Résultat array

$_xss_hash public_oe property

Random Hash for protecting URLs
public string $_xss_hash
Résultat string