define |
"BASE" "../../.." |
---|---|
package |
Subsystems |
_compact_exploded_words(array $matches) : string
Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'.
used-by |
CI_Security::xss_clean() |
---|
array
string
_convert_attribute(array $match) : string
used-by |
CI_Security::xss_clean() |
---|
array
string
_decode_entity(array $match) : string
used-by |
CI_Security::xss_clean() |
---|
array
string
_do_never_allowed( $str) : string
used-by |
CI_Security::xss_clean() |
---|
string
_filter_attributes(string $str) : string
Filters tag attributes for consistency and safety.
used-by |
CI_Security::_js_img_removal() CI_Security::_js_link_removal() |
---|
string
string
_js_img_removal(array $match) : string
Callback method for xss_clean() to sanitize image tags.
This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings.
used-by |
CI_Security::xss_clean() |
---|
array
string
_js_link_removal(array $match) : string
Callback method for xss_clean() to sanitize links.
This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings.
used-by |
CI_Security::xss_clean() |
---|
array
string
_sanitize_naughty_html(array $matches) : string
Callback method for xss_clean() to remove naughty HTML elements.
used-by |
CI_Security::xss_clean() |
---|
array
string
balance_closure( $val, $closure = "'") : boolean
boolean
check_javascript( $val, $string_only = false, $object_only = false) : string
string
convertSmartQuotes(string $str) : string
string
string
convertUTF(string $string) : string
static |
---|
string
string
convertXMLFeedSafeChar(string $str) : string
static |
---|
string
string
entity_decode(string $str, string $charset = NULL) : string
A replacement for html_entity_decode()
The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.
link |
---|
string
Input
string
Character set
string
escape( $value)
get_random_bytes(integer $length) : string
Throws |
|
---|
integer
Output length
string
html2text( $val) : mixed
mixed
onlyReadables(string $string) : string
static |
---|
string
string
outputField( $val, $eof = ',', $isHTML = false)
parseAndTrim(string $str, boolean $unescape = false) : mixed|string
static |
---|
string
boolean
should the string also be unescaped?
mixed|string
parseAndTrimExport( $str, $isHTML = false)
parseAndTrimImport( $str, $isHTML = false)
remove_invisible_characters( $str, $url_encoded = TRUE) : string
This prevents sandwiching null characters between ascii characters, like Java\0script.
string
sanitize( &$data) : string|array
static |
---|
string|array
string|array
stripLineEndings( $val)
summarize( $string, string $strtype = 'html', string $type = 'para', string $more = '...') : string
string
string
string
string
validUTF(string $string) : boolean
static |
---|
string
boolean
xss_clean(string|array<mixed,string> $str, boolean $is_image = FALSE) : string
Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.
Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.
link |
Based in part on some code and ideas from Bitflux. To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs. |
---|
string|array<mixed,string>
Input data
boolean
Whether the input is an image
string
xss_hash() : string
Generates the XSS hash if needed and returns it.
see | \CI_Security::$_xss_hash |
---|---|
string
XSS hash
charset : string
Will be overridden by the constructor.
var |
---|
string
_xss_hash : string
Random Hash for protecting URLs.
var |
---|
string
_never_allowed_str : array
var |
---|
array
_never_allowed_regex : array
var |
---|
array