PHP 클래스 XSS_Clean, Zebra_Form

@package XSS_Clean
저자: EllisLab Dev Team @copyright Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/) @license http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0) @link http://codeigniter.com
파일 보기 프로젝트 열기: stefangabos/zebra_form

공개 프로퍼티들

프로퍼티 타입 설명
$_never_allowed_regex array List of never allowed regex replacement
$_never_allowed_str array List of never allowed strings
$_xss_hash string Random Hash for protecting URLs

공개 메소드들

메소드 설명
_compact_exploded_words ( $matches ) : string Compact Exploded Words
_convert_attribute ( $match ) : string Attribute Conversion
_decode_entity ( $match ) : string HTML Entity Decode Callback
_do_never_allowed ( $str ) : string Do Never Allowed
_filter_attributes ( $str ) : string Filter Attributes
_js_img_removal ( $match ) : string JS Image Removal
_js_link_removal ( $match ) : string JS Link Removal
_remove_evil_attributes ( string $str, boolean $is_image ) : string Remove Evil HTML Attributes (like event handlers and style)
_remove_invisible_characters ( $str ) : string Remove Invisible Characters
_sanitize_naughty_html ( $matches ) : string Sanitize Naughty HTML
_validate_entities ( $str ) : string Validate URL entities
entity_decode ( $str, $charset = NULL ) : string HTML Entities Decode
sanitize ( string $str, $rawurldecode = true ) : string Sanitizes submitted data so that Cross Site Scripting Hacks can be prevented.
xss_hash ( ) : string Random Hash for protecting URLs

메소드 상세

_compact_exploded_words() 공개 메소드

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t
public _compact_exploded_words ( $matches ) : string
리턴 string @access private

_convert_attribute() 공개 메소드

Used as a callback for XSS Clean
public _convert_attribute ( $match ) : string
리턴 string @access private

_decode_entity() 공개 메소드

Used as a callback for XSS Clean
public _decode_entity ( $match ) : string
리턴 string @access private

_do_never_allowed() 공개 메소드

A utility function for xss_clean()
public _do_never_allowed ( $str ) : string
리턴 string @access private

_filter_attributes() 공개 메소드

Filters tag attributes for consistency and safety
public _filter_attributes ( $str ) : string
리턴 string @access private

_js_img_removal() 공개 메소드

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings
public _js_img_removal ( $match ) : string
리턴 string @access private

_js_link_removal() 공개 메소드

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings
public _js_link_removal ( $match ) : string
리턴 string @access private

_remove_evil_attributes() 공개 메소드

It removes the evil attribute and either: - Everything up until a space For example, everything between the pipes: - Everything inside the quotes For example, everything between the pipes:
public _remove_evil_attributes ( string $str, boolean $is_image ) : string
$str string The string to check
$is_image boolean TRUE if this is an image
리턴 string The string with the evil attributes removed @access private

_remove_invisible_characters() 공개 메소드

This prevents sandwiching null characters between ascii characters, like Java\0script.
public _remove_invisible_characters ( $str ) : string
리턴 string

_sanitize_naughty_html() 공개 메소드

Callback function for xss_clean() to remove naughty HTML elements
public _sanitize_naughty_html ( $matches ) : string
리턴 string @access private

_validate_entities() 공개 메소드

Called by xss_clean()
public _validate_entities ( $str ) : string
리턴 string @access private

entity_decode() 공개 메소드

This function is a replacement for html_entity_decode() The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
public entity_decode ( $str, $charset = NULL ) : string
리턴 string @access private

sanitize() 공개 메소드

This class is taken from the {@link http://codeigniter.com/ CodeIgniter PHP Framework}, version 2.1.2. This method is automatically run for each control when calling {@link Zebra_Form::validate() validate()}, unless specifically disabled by {@link Zebra_Form_Control::disable_xss_filters() disable_xss_filters()})! Following is the original documentation of the class, as found in CodeIgniter: Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. This function was based in part on some code and ideas I got from Bitflux: {@link http://blog.bitflux.ch/wiki/XSS_Prevention} To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: {@link http://ha.ckers.org/xss.html}
public sanitize ( string $str, $rawurldecode = true ) : string
$str string String to be filtered @return string Returns filtered string
리턴 string

xss_hash() 공개 메소드

Random Hash for protecting URLs
public xss_hash ( ) : string
리턴 string @access private

프로퍼티 상세

$_never_allowed_regex 공개적으로 프로퍼티

List of never allowed regex replacement
public array $_never_allowed_regex
리턴 array

$_never_allowed_str 공개적으로 프로퍼티

List of never allowed strings
public array $_never_allowed_str
리턴 array

$_xss_hash 공개적으로 프로퍼티

Random Hash for protecting URLs
public string $_xss_hash
리턴 string