PHP Class CI_Security, TastyIgniter

See link: http://codeigniter.com/user_guide/libraries/security.html
Author: EllisLab Dev Team
显示文件 Open project: tastyigniter/tastyigniter Class Usage Examples

Public Properties

Property Type Description
$charset string Will be overridden by the constructor.
$filename_bad_chars array List of sanitize filename strings

Protected Properties

Property Type Description
$_csrf_cookie_name string Cookie name for Cross Site Request Forgery protection cookie.
$_csrf_expire integer Expiration time for Cross Site Request Forgery protection cookie. Defaults to two hours (in seconds).
$_csrf_hash string Random hash for Cross Site Request Forgery protection cookie
$_csrf_token_name string Token name for Cross Site Request Forgery protection cookie.
$_never_allowed_regex array List of never allowed regex replacements
$_never_allowed_str array List of never allowed strings
$_xss_hash string Random Hash for protecting URLs.

Public Methods

Method Description
__construct ( ) : void Class constructor
csrf_set_cookie ( ) : CI_Security CSRF Set Cookie
csrf_show_error ( ) : void Show CSRF Error
csrf_verify ( ) : CI_Security CSRF Verify
entity_decode ( string $str, string $charset = NULL ) : string HTML Entities Decode
get_csrf_hash ( ) : string Get CSRF Hash
get_csrf_token_name ( ) : string Get CSRF Token Name
get_random_bytes ( integer $length ) : string Get random bytes
sanitize_filename ( string $str, boolean $relative_path = FALSE ) : string Sanitize Filename
strip_image_tags ( string $str ) : string Strip Image Tags
xss_clean ( string | string[] $str, boolean $is_image = FALSE ) : string XSS Clean
xss_hash ( ) : string XSS Hash

Protected Methods

Method Description
_compact_exploded_words ( array $matches ) : string Compact Exploded Words
_convert_attribute ( array $match ) : string Attribute Conversion
_csrf_set_hash ( ) : string Set CSRF Hash and Cookie
_decode_entity ( array $match ) : string HTML Entity Decode Callback
_do_never_allowed ( $str ) : string Do Never Allowed
_filter_attributes ( string $str ) : string Filter Attributes
_js_img_removal ( array $match ) : string JS Image Removal
_js_link_removal ( array $match ) : string JS Link Removal
_sanitize_naughty_html ( array $matches ) : string Sanitize Naughty HTML

Method Details

__construct() public method

Class constructor
public __construct ( ) : void
return void

_compact_exploded_words() protected method

Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'.
protected _compact_exploded_words ( array $matches ) : string
$matches array
return string

_convert_attribute() protected method

Attribute Conversion
protected _convert_attribute ( array $match ) : string
$match array
return string

_csrf_set_hash() protected method

Set CSRF Hash and Cookie
protected _csrf_set_hash ( ) : string
return string

_decode_entity() protected method

HTML Entity Decode Callback
protected _decode_entity ( array $match ) : string
$match array
return string

_do_never_allowed() protected method

Do Never Allowed
protected _do_never_allowed ( $str ) : string
return string

_filter_attributes() protected method

Filters tag attributes for consistency and safety.
protected _filter_attributes ( string $str ) : string
$str string
return string

_js_img_removal() protected method

Callback method for xss_clean() to sanitize image tags. This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings.
protected _js_img_removal ( array $match ) : string
$match array
return string

_js_link_removal() protected method

Callback method for xss_clean() to sanitize links. This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings.
protected _js_link_removal ( array $match ) : string
$match array
return string

_sanitize_naughty_html() protected method

Callback method for xss_clean() to remove naughty HTML elements.
protected _sanitize_naughty_html ( array $matches ) : string
$matches array
return string

csrf_show_error() public method

Show CSRF Error
public csrf_show_error ( ) : void
return void

csrf_verify() public method

CSRF Verify
public csrf_verify ( ) : CI_Security
return CI_Security

entity_decode() public method

A replacement for html_entity_decode() The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
See link: http://php.net/html-entity-decode
public entity_decode ( string $str, string $charset = NULL ) : string
$str string Input
$charset string Character set
return string

get_csrf_hash() public method

Get CSRF Hash
See also: CI_Security::$_csrf_hash
public get_csrf_hash ( ) : string
return string CSRF hash

get_csrf_token_name() public method

Get CSRF Token Name
See also: CI_Security::$_csrf_token_name
public get_csrf_token_name ( ) : string
return string CSRF token name

get_random_bytes() public method

Get random bytes
public get_random_bytes ( integer $length ) : string
$length integer Output length
return string

sanitize_filename() public method

Sanitize Filename
public sanitize_filename ( string $str, boolean $relative_path = FALSE ) : string
$str string Input file name
$relative_path boolean Whether to preserve paths
return string

strip_image_tags() public method

Strip Image Tags
public strip_image_tags ( string $str ) : string
$str string
return string

xss_clean() public method

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.
See link: Based in part on some code and ideas from Bitflux.
See link: To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs.
public xss_clean ( string | string[] $str, boolean $is_image = FALSE ) : string
$str string | string[] Input data
$is_image boolean Whether the input is an image
return string

xss_hash() public method

Generates the XSS hash if needed and returns it.
See also: CI_Security::$_xss_hash
public xss_hash ( ) : string
return string XSS hash

Property Details

$_csrf_cookie_name protected_oe property

Cookie name for Cross Site Request Forgery protection cookie.
protected string $_csrf_cookie_name
return string

$_csrf_expire protected_oe property

Expiration time for Cross Site Request Forgery protection cookie. Defaults to two hours (in seconds).
protected int $_csrf_expire
return integer

$_csrf_hash protected_oe property

Random hash for Cross Site Request Forgery protection cookie
protected string $_csrf_hash
return string

$_csrf_token_name protected_oe property

Token name for Cross Site Request Forgery protection cookie.
protected string $_csrf_token_name
return string

$_never_allowed_regex protected_oe property

List of never allowed regex replacements
protected array $_never_allowed_regex
return array

$_never_allowed_str protected_oe property

List of never allowed strings
protected array $_never_allowed_str
return array

$_xss_hash protected_oe property

Random Hash for protecting URLs.
protected string $_xss_hash
return string

$charset public_oe property

Will be overridden by the constructor.
public string $charset
return string

$filename_bad_chars public_oe property

List of sanitize filename strings
public array $filename_bad_chars
return array