Exponent v2.7.2

expString
in package

This is the class expString

Tags
subpackage

Subsystems

Table of Contents

$charset  : string
Character set
$_never_allowed_regex  : array<string|int, mixed>
List of never allowed regex replacements
$_never_allowed_str  : array<string|int, mixed>
List of never allowed strings
$_xss_hash  : string
XSS Hash
check_javascript()  : string
check a javascript value to ensure it is a string or array or object attempt to prevent javascript crashes by outputting incorrect code values
convertSmartQuotes()  : string
Routine to convert any smart quotes into normal quotes
convertUTF()  : string
Routine to convert string to UTF
convertXMLFeedSafeChar()  : string
Routine to convert string to an XML safe string
escape()  : mixed
html2text()  : mixed
Convert email html content to text Remove scripts, styles, tags, and convert <br> to newline
onlyReadables()  : string
Routine to strip unreadable characters from string - ascii 32 to 126
outputField()  : mixed
parseAndTrim()  : mixed|string
Routine to
parseAndTrimExport()  : mixed
parseAndTrimImport()  : mixed
sanitize()  : string|array<string|int, mixed>
Scrub input string for possible security issues.
strip_tags_content()  : mixed
Enhanced variation of strip_tags with 'invert' option to remove specific tags
stripLineEndings()  : mixed
summarize()  : string
Summarize or short a long string
validUTF()  : bool
Routine to check if string is valid UTF string
_compact_exploded_words()  : string
Compact Exploded Words
_convert_attribute()  : string
Attribute Conversion
_decode_entity()  : string
HTML Entity Decode Callback
_filter_attributes()  : string
Filter Attributes
_js_img_removal()  : string
JS Image Removal
_js_link_removal()  : string
JS Link Removal
_sanitize_naughty_html()  : string
Sanitize Naughty HTML
_do_never_allowed()  : string
Do Never Allowed
balance_closure()  : bool
ensure a javascript value is enclosed properly
entity_decode()  : string
HTML Entities Decode
get_random_bytes()  : string
Get random bytes
remove_invisible_characters()  : string
Remove Invisible Characters
xss_clean()  : string
XSS Clean
xss_hash()  : string
XSS Hash

Properties

$charset

Character set

public static string $charset = 'UTF-8'

Will be overridden by the constructor.

$_never_allowed_regex

List of never allowed regex replacements

protected static array<string|int, mixed> $_never_allowed_regex = array( 'javascript\\s*:', '(document|(document\\.)?window)\\.(location|on\\w*)', 'expression\\s*(\\(|&\\#40;)', // CSS and IE 'vbscript\\s*:', // IE, surprise! 'wscript\\s*:', // IE 'jscript\\s*:', // IE 'vbs\\s*:', // IE 'Redirect\\s+30\\d', "([\"'])?data\\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?", )

$_never_allowed_str

List of never allowed strings

protected static array<string|int, mixed> $_never_allowed_str = array('document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', '<!--' => '&lt;!--', '-->' => '--&gt;', '<![CDATA[' => '&lt;![CDATA[', '<comment>' => '&lt;comment&gt;')

$_xss_hash

XSS Hash

protected static string $_xss_hash

Random Hash for protecting URLs.

Methods

check_javascript()

check a javascript value to ensure it is a string or array or object attempt to prevent javascript crashes by outputting incorrect code values

public static check_javascript( $val[,  $string_only = false ][,  $object_only = false ]) : string
Parameters
$val :
$string_only : = false
$object_only : = false
Return values
string

convertSmartQuotes()

Routine to convert any smart quotes into normal quotes

public static convertSmartQuotes(string $str) : string
Parameters
$str : string
Return values
string

convertUTF()

Routine to convert string to UTF

public static convertUTF(string $string) : string
Parameters
$string : string
Tags
static
Return values
string

convertXMLFeedSafeChar()

Routine to convert string to an XML safe string

public static convertXMLFeedSafeChar(string $str) : string
Parameters
$str : string
Tags
static
Return values
string

escape()

public static escape(mixed $value[, mixed $force = null ]) : mixed
Parameters
$value : mixed
$force : mixed = null
Return values
mixed

html2text()

Convert email html content to text Remove scripts, styles, tags, and convert <br> to newline

public static html2text( $val) : mixed
Parameters
$val :
Return values
mixed

onlyReadables()

Routine to strip unreadable characters from string - ascii 32 to 126

public static onlyReadables(string $string) : string
Parameters
$string : string
Tags
static
Return values
string

outputField()

public static outputField(mixed $val[, mixed $eof = ',' ][, mixed $isHTML = false ]) : mixed
Parameters
$val : mixed
$eof : mixed = ','
$isHTML : mixed = false
Return values
mixed

parseAndTrim()

Routine to

public static parseAndTrim(string|array<string|int, mixed> $str[, bool $unescape = false ]) : mixed|string
Parameters
$str : string|array<string|int, mixed>
$unescape : bool = false

should the string also be unescaped?

Tags
static
Return values
mixed|string

parseAndTrimExport()

public static parseAndTrimExport(mixed $str[, mixed $isHTML = false ]) : mixed
Parameters
$str : mixed
$isHTML : mixed = false
Return values
mixed

parseAndTrimImport()

public static parseAndTrimImport(mixed $str[, mixed $isHTML = false ]) : mixed
Parameters
$str : mixed
$isHTML : mixed = false
Return values
mixed

sanitize()

Scrub input string for possible security issues.

public static sanitize( &$data) : string|array<string|int, mixed>
Parameters
$data :

string|array

Tags
static
Return values
string|array<string|int, mixed>

strip_tags_content()

Enhanced variation of strip_tags with 'invert' option to remove specific tags

public static strip_tags_content( $text[, string $tags = '' ][, bool $invert = false ]) : mixed
Parameters
$text :
$tags : string = ''
$invert : bool = false
Return values
mixed

stripLineEndings()

public static stripLineEndings(mixed $val) : mixed
Parameters
$val : mixed
Return values
mixed

summarize()

Summarize or short a long string

public static summarize( $string[, string $strtype = 'html' ][, string|int $type = 'para' ][, string $more = '...' ]) : string
Parameters
$string :
$strtype : string = 'html'

type of string being passed html or non-html

$type : string|int = 'para'

type of summary to create or number of words to return

$more : string = '...'

text to indicate we summarized the string and more is available

Return values
string

validUTF()

Routine to check if string is valid UTF string

public static validUTF(string $string) : bool
Parameters
$string : string
Tags
static
Return values
bool

_compact_exploded_words()

Compact Exploded Words

protected static _compact_exploded_words(array<string|int, mixed> $matches) : string

Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'.

Parameters
$matches : array<string|int, mixed>
Tags
used-by

CI_Security::xss_clean()

Return values
string

_convert_attribute()

Attribute Conversion

protected static _convert_attribute(array<string|int, mixed> $match) : string
Parameters
$match : array<string|int, mixed>
Tags
used-by

CI_Security::xss_clean()

Return values
string

_decode_entity()

HTML Entity Decode Callback

protected static _decode_entity(array<string|int, mixed> $match) : string
Parameters
$match : array<string|int, mixed>
Tags
used-by

CI_Security::xss_clean()

Return values
string

_filter_attributes()

Filter Attributes

protected static _filter_attributes(string $str) : string

Filters tag attributes for consistency and safety.

Parameters
$str : string
Tags
used-by

CI_Security::_js_img_removal()

used-by

CI_Security::_js_link_removal()

Return values
string

_js_img_removal()

JS Image Removal

protected static _js_img_removal(array<string|int, mixed> $match) : string

Callback method for xss_clean() to sanitize image tags.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings.

Parameters
$match : array<string|int, mixed>
Tags
used-by

CI_Security::xss_clean()

Return values
string

_js_link_removal()

JS Link Removal

protected static _js_link_removal(array<string|int, mixed> $match) : string

Callback method for xss_clean() to sanitize links.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings.

Parameters
$match : array<string|int, mixed>
Tags
used-by

CI_Security::xss_clean()

Return values
string

_sanitize_naughty_html()

Sanitize Naughty HTML

protected static _sanitize_naughty_html(array<string|int, mixed> $matches) : string

Callback method for xss_clean() to remove naughty HTML elements.

Parameters
$matches : array<string|int, mixed>
Tags
used-by

CI_Security::xss_clean()

Return values
string

_do_never_allowed()

Do Never Allowed

private static _do_never_allowed(mixed $str) : string
Parameters
$str : mixed
Tags
used-by

CI_Security::xss_clean()

Return values
string

balance_closure()

ensure a javascript value is enclosed properly

private static balance_closure( $val[,  $closure = "'" ]) : bool
Parameters
$val :
$closure : = "'"
Return values
bool

entity_decode()

HTML Entities Decode

private static entity_decode(string $str[, string $charset = NULL ]) : string

A replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

Parameters
$str : string

Input

$charset : string = NULL

Character set

Tags
link
http://php.net/html-entity-decode
Return values
string

get_random_bytes()

Get random bytes

private static get_random_bytes(int $length) : string
Parameters
$length : int

Output length

Tags
throws
Exception
Return values
string

remove_invisible_characters()

Remove Invisible Characters

private static remove_invisible_characters(mixed $str[, mixed $url_encoded = TRUE ]) : string

This prevents sandwiching null characters between ascii characters, like Java\0script.

Parameters
$str : mixed
$url_encoded : mixed = TRUE
Return values
string

xss_clean()

XSS Clean

private static xss_clean(string|array<string|int, string> $str[, bool $is_image = FALSE ]) : string

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

Parameters
$str : string|array<string|int, string>

Input data

$is_image : bool = FALSE

Whether the input is an image

Tags
link

Based in part on some code and ideas from Bitflux.
link

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs.
Return values
string

xss_hash()

XSS Hash

private static xss_hash() : string

Generates the XSS hash if needed and returns it.

Tags
see
CI_Security::$_xss_hash
Return values
string

XSS hash

Search results