CI_Security =============== Security Class * Class name: CI_Security * Namespace: Properties ---------- ### $filename_bad_chars public array $filename_bad_chars = array('../', '', '<', '>', "'", '"', '&', '$', '#', '{', '}', '[', ']', '=', ';', '?', '%20', '%22', '%3c', '%253c', '%3e', '%0e', '%28', '%29', '%2528', '%26', '%24', '%3f', '%3b', '%3d') List of sanitize filename strings * Visibility: **public** ### $charset public string $charset = 'UTF-8' Character set Will be overridden by the constructor. * Visibility: **public** ### $_xss_hash protected string $_xss_hash XSS Hash Random Hash for protecting URLs. * Visibility: **protected** ### $_csrf_hash protected string $_csrf_hash CSRF Hash Random hash for Cross Site Request Forgery protection cookie * Visibility: **protected** ### $_csrf_expire protected integer $_csrf_expire = 7200 CSRF Expire time Expiration time for Cross Site Request Forgery protection cookie. Defaults to two hours (in seconds). * Visibility: **protected** ### $_csrf_token_name protected string $_csrf_token_name = 'ci_csrf_token' CSRF Token name Token name for Cross Site Request Forgery protection cookie. * Visibility: **protected** ### $_csrf_cookie_name protected string $_csrf_cookie_name = 'ci_csrf_token' CSRF Cookie name Cookie name for Cross Site Request Forgery protection cookie. * Visibility: **protected** ### $_never_allowed_str protected array $_never_allowed_str = array('document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', '' => '-->', ' '<![CDATA[', '' => '<comment>') List of never allowed strings * Visibility: **protected** ### $_never_allowed_regex protected array $_never_allowed_regex = array('javascript\s*:', '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', 'vbscript\s*:', 'wscript\s*:', 'jscript\s*:', 'vbs\s*:', 'Redirect\s+30\d', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?") List of never allowed regex replacements * Visibility: **protected** Methods ------- ### __construct void CI_Security::__construct() Class constructor * Visibility: **public** ### csrf_verify \CI_Security CI_Security::csrf_verify() CSRF Verify * Visibility: **public** ### csrf_set_cookie \CI_Security CI_Security::csrf_set_cookie() CSRF Set Cookie * Visibility: **public** ### csrf_show_error void CI_Security::csrf_show_error() Show CSRF Error * Visibility: **public** ### get_csrf_hash string CI_Security::get_csrf_hash() Get CSRF Hash * Visibility: **public** ### get_csrf_token_name string CI_Security::get_csrf_token_name() Get CSRF Token Name * Visibility: **public** ### xss_clean string CI_Security::xss_clean(string|array $str, boolean $is_image) XSS Clean Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter. Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing. * Visibility: **public** #### Arguments * $str **string|array<mixed,string>** - <p>Input data</p> * $is_image **boolean** - <p>Whether the input is an image</p> ### xss_hash string CI_Security::xss_hash() XSS Hash Generates the XSS hash if needed and returns it. * Visibility: **public** ### get_random_bytes string CI_Security::get_random_bytes(integer $length) Get random bytes * Visibility: **public** #### Arguments * $length **integer** - <p>Output length</p> ### entity_decode string CI_Security::entity_decode(string $str, string $charset) HTML Entities Decode A replacement for html_entity_decode() The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer. * Visibility: **public** #### Arguments * $str **string** - <p>Input</p> * $charset **string** - <p>Character set</p> ### sanitize_filename string CI_Security::sanitize_filename(string $str, boolean $relative_path) Sanitize Filename * Visibility: **public** #### Arguments * $str **string** - <p>Input file name</p> * $relative_path **boolean** - <p>Whether to preserve paths</p> ### strip_image_tags string CI_Security::strip_image_tags(string $str) Strip Image Tags * Visibility: **public** #### Arguments * $str **string** ### _compact_exploded_words string CI_Security::_compact_exploded_words(array $matches) Compact Exploded Words Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'. * Visibility: **protected** #### Arguments * $matches **array** ### _remove_evil_attributes string CI_Security::_remove_evil_attributes(string $str, boolean $is_image) Remove Evil HTML Attributes (like event handlers and style) It removes the evil attribute and either: - Everything up until a space. For example, everything between the pipes: - Everything inside the quotes. For example, everything between the pipes: * Visibility: **protected** #### Arguments * $str **string** - <p>The string to check</p> * $is_image **boolean** - <p>Whether the input is an image</p> ### _sanitize_naughty_html string CI_Security::_sanitize_naughty_html(array $matches) Sanitize Naughty HTML Callback method for xss_clean() to remove naughty HTML elements. * Visibility: **protected** #### Arguments * $matches **array** ### _js_link_removal string CI_Security::_js_link_removal(array $match) JS Link Removal Callback method for xss_clean() to sanitize links. This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings. * Visibility: **protected** #### Arguments * $match **array** ### _js_img_removal string CI_Security::_js_img_removal(array $match) JS Image Removal Callback method for xss_clean() to sanitize image tags. This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings. * Visibility: **protected** #### Arguments * $match **array** ### _convert_attribute string CI_Security::_convert_attribute(array $match) Attribute Conversion * Visibility: **protected** #### Arguments * $match **array** ### _filter_attributes string CI_Security::_filter_attributes(string $str) Filter Attributes Filters tag attributes for consistency and safety. * Visibility: **protected** #### Arguments * $str **string** ### _decode_entity string CI_Security::_decode_entity(array $match) HTML Entity Decode Callback * Visibility: **protected** #### Arguments * $match **array** ### _do_never_allowed string CI_Security::_do_never_allowed($str) Do Never Allowed * Visibility: **protected** #### Arguments * $str **mixed** ### _csrf_set_hash string CI_Security::_csrf_set_hash() Set CSRF Hash and Cookie * Visibility: **protected**