Skip to content

CI_Security

Jump to bottom
Mathieu Nayrolles edited this page Jan 20, 2016 · 1 revision

CI_Security

Security Class

  • Class name: CI_Security
  • Namespace:

Properties

$filename_bad_chars

public array $filename_bad_chars = array('../', '<!--', '-->', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', '%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d')

List of sanitize filename strings

  • Visibility: public

$charset

public string $charset = 'UTF-8'

Character set

Will be overridden by the constructor.

  • Visibility: public

$_xss_hash

protected string $_xss_hash

XSS Hash

Random Hash for protecting URLs.

  • Visibility: protected

$_csrf_hash

protected string $_csrf_hash

CSRF Hash

Random hash for Cross Site Request Forgery protection cookie

  • Visibility: protected

$_csrf_expire

protected integer $_csrf_expire = 7200

CSRF Expire time

Expiration time for Cross Site Request Forgery protection cookie. Defaults to two hours (in seconds).

  • Visibility: protected

$_csrf_token_name

protected string $_csrf_token_name = 'ci_csrf_token'

CSRF Token name

Token name for Cross Site Request Forgery protection cookie.

  • Visibility: protected

$_csrf_cookie_name

protected string $_csrf_cookie_name = 'ci_csrf_token'

CSRF Cookie name

Cookie name for Cross Site Request Forgery protection cookie.

  • Visibility: protected

$_never_allowed_str

protected array $_never_allowed_str = array('document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', '<!--' => '&lt;!--', '-->' => '--&gt;', '<![CDATA[' => '&lt;![CDATA[', '<comment>' => '&lt;comment&gt;')

List of never allowed strings

  • Visibility: protected

$_never_allowed_regex

protected array $_never_allowed_regex = array('javascript\s*:', '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', 'vbscript\s*:', 'wscript\s*:', 'jscript\s*:', 'vbs\s*:', 'Redirect\s+30\d', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?")

List of never allowed regex replacements

  • Visibility: protected

Methods

__construct

void CI_Security::__construct()

Class constructor

  • Visibility: public

csrf_verify

\CI_Security CI_Security::csrf_verify()

CSRF Verify

  • Visibility: public

csrf_set_cookie

\CI_Security CI_Security::csrf_set_cookie()

CSRF Set Cookie

  • Visibility: public

csrf_show_error

void CI_Security::csrf_show_error()

Show CSRF Error

  • Visibility: public

get_csrf_hash

string CI_Security::get_csrf_hash()

Get CSRF Hash

  • Visibility: public

get_csrf_token_name

string CI_Security::get_csrf_token_name()

Get CSRF Token Name

  • Visibility: public

xss_clean

string CI_Security::xss_clean(string|array<mixed,string> $str, boolean $is_image)

XSS Clean

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

  • Visibility: public

Arguments

  • $str string|array<mixed,string> - <p>Input data</p>
  • $is_image boolean - <p>Whether the input is an image</p>

xss_hash

string CI_Security::xss_hash()

XSS Hash

Generates the XSS hash if needed and returns it.

  • Visibility: public

get_random_bytes

string CI_Security::get_random_bytes(integer $length)

Get random bytes

  • Visibility: public

Arguments

  • $length integer - <p>Output length</p>

entity_decode

string CI_Security::entity_decode(string $str, string $charset)

HTML Entities Decode

A replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

  • Visibility: public

Arguments

  • $str string - <p>Input</p>
  • $charset string - <p>Character set</p>

sanitize_filename

string CI_Security::sanitize_filename(string $str, boolean $relative_path)

Sanitize Filename

  • Visibility: public

Arguments

  • $str string - <p>Input file name</p>
  • $relative_path boolean - <p>Whether to preserve paths</p>

strip_image_tags

string CI_Security::strip_image_tags(string $str)

Strip Image Tags

  • Visibility: public

Arguments

  • $str string

_compact_exploded_words

string CI_Security::_compact_exploded_words(array $matches)

Compact Exploded Words

Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'.

  • Visibility: protected

Arguments

  • $matches array

_remove_evil_attributes

string CI_Security::_remove_evil_attributes(string $str, boolean $is_image)

Remove Evil HTML Attributes (like event handlers and style)

It removes the evil attribute and either:

  • Everything up until a space. For example, everything between the pipes:
  • Everything inside the quotes. For example, everything between the pipes:
  • Visibility: protected

Arguments

  • $str string - <p>The string to check</p>
  • $is_image boolean - <p>Whether the input is an image</p>

_sanitize_naughty_html

string CI_Security::_sanitize_naughty_html(array $matches)

Sanitize Naughty HTML

Callback method for xss_clean() to remove naughty HTML elements.

  • Visibility: protected

Arguments

  • $matches array

_js_link_removal

string CI_Security::_js_link_removal(array $match)

JS Link Removal

Callback method for xss_clean() to sanitize links.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings.

  • Visibility: protected

Arguments

  • $match array

_js_img_removal

string CI_Security::_js_img_removal(array $match)

JS Image Removal

Callback method for xss_clean() to sanitize image tags.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings.

  • Visibility: protected

Arguments

  • $match array

_convert_attribute

string CI_Security::_convert_attribute(array $match)

Attribute Conversion

  • Visibility: protected

Arguments

  • $match array

_filter_attributes

string CI_Security::_filter_attributes(string $str)

Filter Attributes

Filters tag attributes for consistency and safety.

  • Visibility: protected

Arguments

  • $str string

_decode_entity

string CI_Security::_decode_entity(array $match)

HTML Entity Decode Callback

  • Visibility: protected

Arguments

  • $match array

_do_never_allowed

string CI_Security::_do_never_allowed($str)

Do Never Allowed

  • Visibility: protected

Arguments

  • $str mixed

_csrf_set_hash

string CI_Security::_csrf_set_hash()

Set CSRF Hash and Cookie

  • Visibility: protected
Clone this wiki locally