Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Helper #213

Closed
8 tasks
lonnieezell opened this issue Aug 2, 2016 · 3 comments
Closed
8 tasks

Security Helper #213

lonnieezell opened this issue Aug 2, 2016 · 3 comments
Labels
new feature PRs for new features
Milestone
Pre-Alpha 2

Comments

@lonnieezell
Copy link
Member

This needs to be looked at in more detail, but is likely a port of the existing, while removing xss_clean.

Development Checklist:

  • Component(s)
  • ... with PHPdocs
  • Unit testing
  • ... with >80% coverage
  • User guide updated
  • Classmap integration?
  • Securely signed commits
  • Conforms to style guide
@lonnieezell lonnieezell added the new feature PRs for new features label Aug 2, 2016
@lonnieezell lonnieezell added this to the Pre-Alpha 2 milestone Aug 2, 2016
@prezire
Copy link
Contributor

prezire commented Aug 28, 2016

We seem to be missing a few methods in \CodeIgniter\Security\Security.php. Are these methods removed or moved somewhere?

  • getRandomBytes()
  • entityDecode()//??
  • encodePHPTags()//??
  • And the last one, xssClean(). This has a lot of features such as compactExplodedWords(), removeMaliciousAttributes(), sanitizeNaughtyHTML(), removeJSLink(), removeImageLink()

@lonnieezell
Copy link
Member Author

The xss_clean functions are not being included since Zend/Escaper that we ship with the framework does a better, more thorough, job of handling xss protections. So some functions aren't included in that library because they were only used by the xss_clean functions.

  • get_random_bytes is not needed because PHP7 has a crypotgraphically secure version of it natively now, in random_bytes().
  • entity_decode seems redundant since it's primarily a copy of html_entity_decode.

@prezire
Copy link
Contributor

prezire commented Aug 29, 2016

Nice. Thanks for the infos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
new feature PRs for new features
Projects
None yet
Milestone
Pre-Alpha 2
Development

No branches or pull requests
2 participants
@lonnieezell @prezire