Class CI_Security - echiong/testRepo GitHub Wiki

##Class CI_Security

Security Class

Package: [[CodeIgniter<a href="Package CodeIgniter.Libraries.md">Libraries]]
Category: Security
Author: ExpressionEngine Dev Team
Link: http://codeigniter.com/user_guide/libraries/security.html
Located at system/core/Security.php

##Methods summary

public __construct ( )

Constructor

public object csrf_verify ( )

Verify Cross Site Request Forgery Protection

Returns object

public object csrf_set_cookie ( )

Set Cross Site Request Forgery Protection Cookie

Returns object

public csrf_show_error ( )

Show CSRF Error

public string get_csrf_hash ( )

Get CSRF Hash

Getter Method

Returns string
self::_csrf_hash

public string get_csrf_token_name ( )

Get CSRF Token Name

Getter Method

Returns string
self::csrf_token_name

public string xss_clean ( mixed $str, boolean $is_image = FALSE )

XSS Clean

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

This function was based in part on some code and ideas I got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html

Parameters

$str mixed
string or array

$is_image boolean

Returns string

public string xss_hash ( )

Random Hash for protecting URLs

Returns string

public string entity_decode ( string $str, string $charset = 'UTF-8' )

HTML Entities Decode

This function is a replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

Parameters

$str string

$charset string

Returns string

public string sanitize_filename ( string $str, boolean $relative_path = FALSE )

Filename Security

Parameters

$str string

$relative_path boolean

Returns string

protected type _compact_exploded_words ( type $matches )

Compact Exploded Words

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t

Parameters

$matches type

Returns type

protected _remove_evil_attributes ( mixed $str, mixed $is_image )

protected string _sanitize_naughty_html ( array $matches )

Sanitize Naughty HTML

Callback function for xss_clean() to remove naughty HTML elements

Parameters

$matches array

Returns string

protected string _js_link_removal ( array $match )

JS Link Removal

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings

Parameters

$match array

Returns string

protected string _js_img_removal ( array $match )

JS Image Removal

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings

Parameters

$match array

Returns string

protected string _convert_attribute ( array $match )

Attribute Conversion

Used as a callback for XSS Clean

Parameters

$match array

Returns string

protected string _filter_attributes ( string $str )

Filter Attributes

Filters tag attributes for consistency and safety

Parameters

$str string

Returns string

protected string _decode_entity ( array $match )

HTML Entity Decode Callback

Used as a callback for XSS Clean

Parameters

$match array

Returns string

protected string _validate_entities ( string $str )

Validate URL entities

Called by xss_clean()

Parameters

$str string

Returns string

protected string _do_never_allowed ( string $str )

Do Never Allowed

A utility function for xss_clean()

Parameters

$str string

Returns string

protected string _csrf_set_hash ( )

Set Cross Site Request Forgery Protection Cookie

Returns string

<table class="summary" id="properties">
<caption>Properties summary</caption>
<tr data-order="_xss_hash" id="$_xss_hash">
	<td class="attributes"><code>
		protected  
		string
	</code></td>

	<td class="name">

$_xss_hash

		<div class="description detailed">

		</div>
	</div></td>
</tr>
<tr data-order="_csrf_hash" id="$_csrf_hash">
	<td class="attributes"><code>
		protected  
		string
	</code></td>

	<td class="name">

		<div class="description detailed">

		</div>
	</div></td>
</tr>
<tr data-order="_csrf_expire" id="$_csrf_expire">
	<td class="attributes"><code>
		protected  
		integer
	</code></td>

	<td class="name">

		<div class="description detailed">

		</div>
	</div></td>
</tr>
<tr data-order="_csrf_token_name" id="$_csrf_token_name">
	<td class="attributes"><code>
		protected  
		string
	</code></td>

	<td class="name">

		<div class="description detailed">

		</div>
	</div></td>
</tr>
<tr data-order="_csrf_cookie_name" id="$_csrf_cookie_name">
	<td class="attributes"><code>
		protected  
		string
	</code></td>

	<td class="name">

		<div class="description detailed">

		</div>
	</div></td>
</tr>
<tr data-order="_never_allowed_str" id="$_never_allowed_str">
	<td class="attributes"><code>
		protected  
		array
	</code></td>

	<td class="name">

		<div class="description detailed">

		</div>
	</div></td>
</tr>
<tr data-order="_never_allowed_regex" id="$_never_allowed_regex">
	<td class="attributes"><code>
		protected  
		array
	</code></td>

	<td class="name">

		<div class="description detailed">

		</div>
	</div></td>
</tr>
</table>