Exponent v2.4.3
Back to top  

expString

define

"BASE" "../../.."
package

Subsystems

Methods

Compact Exploded Words

_compact_exploded_words(array $matches) : string
static

Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'.

used-by

CI_Security::xss_clean()

Arguments

$matches

array

Response

string

Attribute Conversion

_convert_attribute(array $match) : string
static
used-by

CI_Security::xss_clean()

Arguments

$match

array

Response

string

HTML Entity Decode Callback

_decode_entity(array $match) : string
static
used-by

CI_Security::xss_clean()

Arguments

$match

array

Response

string

Do Never Allowed

_do_never_allowed( $str) : string
static
used-by

CI_Security::xss_clean()

Arguments

$str

Response

string

Filter Attributes

_filter_attributes(string $str) : string
static

Filters tag attributes for consistency and safety.

used-by

CI_Security::_js_img_removal()

CI_Security::_js_link_removal()

Arguments

$str

string

Response

string

JS Image Removal

_js_img_removal(array $match) : string
static

Callback method for xss_clean() to sanitize image tags.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings.

used-by

CI_Security::xss_clean()

Arguments

$match

array

Response

string

JS Link Removal

_js_link_removal(array $match) : string
static

Callback method for xss_clean() to sanitize links.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings.

used-by

CI_Security::xss_clean()

Arguments

$match

array

Response

string

Sanitize Naughty HTML

_sanitize_naughty_html(array $matches) : string
static

Callback method for xss_clean() to remove naughty HTML elements.

used-by

CI_Security::xss_clean()

Arguments

$matches

array

Response

string

ensure a javascript value is enclosed properly

balance_closure( $val,  $closure = "'") : boolean
static

Arguments

$val

$closure

Response

boolean

check a javascript value to ensure it is a string or array or object attempt to prevent javascript crashes by outputting incorrect code values

check_javascript( $val,  $string_only = false,  $object_only = false) : string
static

Arguments

$val

$string_only

$object_only

Response

string

Routine to convert any smart quotes into normal quotes

convertSmartQuotes(string $str) : string
static

Arguments

$str

string

Response

string

Routine to convert string to UTF

convertUTF(string $string) : string
static
static

Arguments

$string

string

Response

string

Routine to convert string to an XML safe string

convertXMLFeedSafeChar(string $str) : string
static
static

Arguments

$str

string

Response

string

HTML Entities Decode

entity_decode(string $str, string $charset = NULL) : string
static

A replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

link

http://php.net/html-entity-decode

Arguments

$str

string

Input

$charset

string

Character set

Response

string

escape

escape( $value)
static

Arguments

$value

Get random bytes

get_random_bytes(integer $length) : string
static
Throws
\Exception

Arguments

$length

integer

Output length

Response

string

Convert email html content to text Remove scripts, styles, tags, and convert <br> to newline

html2text( $val) : mixed
static

Arguments

$val

Response

mixed

Routine to strip unreadable characters from string - ascii 32 to 126

onlyReadables(string $string) : string
static
static

Arguments

$string

string

Response

string

outputField

outputField( $val,  $eof = ',',  $isHTML = false)
static

Arguments

$val

$eof

$isHTML

Routine to

parseAndTrim(string $str, boolean $unescape = false) : mixed|string
static
static

Arguments

$str

string

$unescape

boolean

should the string also be unescaped?

Response

mixed|string

parseAndTrimExport

parseAndTrimExport( $str,  $isHTML = false)
static

Arguments

$str

$isHTML

parseAndTrimImport

parseAndTrimImport( $str,  $isHTML = false)
static

Arguments

$str

$isHTML

Remove Invisible Characters

remove_invisible_characters( $str,  $url_encoded = TRUE) : string
static

This prevents sandwiching null characters between ascii characters, like Java\0script.

Arguments

$str

$url_encoded

Response

string

Scrub input string for possible security issues.

sanitize( &$data) : string|array
static
static

Arguments

$data

string|array

Response

string|array

Enhanced variation of strip_tags with 'invert' option to remove specific tags

strip_tags_content( $text, string $tags = '', boolean $invert = false) : mixed
static

Arguments

$text

$tags

string

$invert

boolean

Response

mixed

stripLineEndings

stripLineEndings( $val)
static

Arguments

$val

Summarize or short a long string

summarize( $string, string $strtype = 'html', string $type = 'para', string $more = '...') : string
static

Arguments

$string

$strtype

string

$type

string

$more

string

Response

string

Routine to check if string is valid UTF string

validUTF(string $string) : boolean
static
static

Arguments

$string

string

Response

boolean

XSS Clean

xss_clean(string|array<mixed,string> $str, boolean $is_image = FALSE) : string
static

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

link

Based in part on some code and ideas from Bitflux.

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs.

Arguments

$str

string|array<mixed,string>

Input data

$is_image

boolean

Whether the input is an image

Response

string

XSS Hash

xss_hash() : string
static

Generates the XSS hash if needed and returns it.

see \CI_Security::$_xss_hash

Response

string

XSS hash

Properties

Character set

charset : string
static

Will be overridden by the constructor.

var

Type(s)

string

XSS Hash

_xss_hash : string
static

Random Hash for protecting URLs.

var

Type(s)

string

List of never allowed strings

_never_allowed_str : array
static
var

Type(s)

array

List of never allowed regex replacements

_never_allowed_regex : array
static
var

Type(s)

array