Public Member Functions | |
CI_Input () | |
_sanitize_globals () | |
_clean_input_data ($str) | |
_clean_input_keys ($str) | |
_fetch_from_array (&$array, $index= '', $xss_clean=FALSE) | |
get ($index= '', $xss_clean=FALSE) | |
post ($index= '', $xss_clean=FALSE) | |
get_post ($index= '', $xss_clean=FALSE) | |
cookie ($index= '', $xss_clean=FALSE) | |
server ($index= '', $xss_clean=FALSE) | |
ip_address () | |
valid_ip ($ip) | |
user_agent () | |
filename_security ($str) | |
xss_clean ($str, $is_image=FALSE) | |
xss_hash () | |
_remove_invisible_characters ($str) | |
_compact_exploded_words ($matches) | |
_sanitize_naughty_html ($matches) | |
_js_link_removal ($match) | |
_js_img_removal ($match) | |
_convert_attribute ($match) | |
_html_entity_decode_callback ($match) | |
_html_entity_decode ($str, $charset='UTF-8') | |
_filter_attributes ($str) | |
Public Attributes | |
$use_xss_clean = FALSE | |
$xss_hash = '' | |
$ip_address = FALSE | |
$user_agent = FALSE | |
$allow_get_array = FALSE | |
$never_allowed_str | |
$never_allowed_regex |
CI_Input::_clean_input_data | ( | $ | str | ) |
Clean Input Data
This is a helper function. It escapes data and standardizes newline characters to
private
string |
CI_Input::_clean_input_keys | ( | $ | str | ) |
Clean Keys
This is a helper function. To prevent malicious users from trying to exploit keys we make sure that keys are only named with alpha-numeric text and a few other items.
private
string |
CI_Input::_compact_exploded_words | ( | $ | matches | ) |
Compact Exploded Words
Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t
public
type |
CI_Input::_convert_attribute | ( | $ | match | ) |
Attribute Conversion
Used as a callback for XSS Clean
public
array |
CI_Input::_fetch_from_array | ( | &$ | array, | |
$ | index = '' , |
|||
$ | xss_clean = FALSE | |||
) |
Fetch from array
This is a helper function to retrieve values from global arrays
private
array | ||
string | ||
bool |
CI_Input::_filter_attributes | ( | $ | str | ) |
Filter Attributes
Filters tag attributes for consistency and safety
public
string |
CI_Input::_html_entity_decode | ( | $ | str, | |
$ | charset = 'UTF-8' | |||
) |
HTML Entities Decode
This function is a replacement for html_entity_decode()
In some versions of PHP the native function does not work when UTF-8 is the specified character set, so this gives us a work-around. More info here: http://bugs.php.net/bug.php?id=25670
private
string | ||
string |
CI_Input::_html_entity_decode_callback | ( | $ | match | ) |
HTML Entity Decode Callback
Used as a callback for XSS Clean
public
array |
CI_Input::_js_img_removal | ( | $ | match | ) |
JS Image Removal
Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings
private
array |
CI_Input::_js_link_removal | ( | $ | match | ) |
JS Link Removal
Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings
private
array |
CI_Input::_remove_invisible_characters | ( | $ | str | ) |
Remove Invisible Characters
This prevents sandwiching null characters between ascii characters, like Java.
public
string |
CI_Input::_sanitize_globals | ( | ) |
Sanitize Globals
This function does the following:
Unsets $_GET data (if query strings are not enabled)
Unsets all globals if register_globals is enabled
Standardizes newline characters to
private
CI_Input::_sanitize_naughty_html | ( | $ | matches | ) |
Sanitize Naughty HTML
Callback function for xss_clean() to remove naughty HTML elements
private
array |
CI_Input::CI_Input | ( | ) |
Constructor
Sets whether to globally enable the XSS processing and whether to allow the $_GET array
public
CI_Input::cookie | ( | $ | index = '' , |
|
$ | xss_clean = FALSE | |||
) |
Fetch an item from the COOKIE array
public
string | ||
bool |
CI_Input::filename_security | ( | $ | str | ) |
Filename Security
public
string |
CI_Input::get | ( | $ | index = '' , |
|
$ | xss_clean = FALSE | |||
) |
Fetch an item from the GET array
public
string | ||
bool |
CI_Input::get_post | ( | $ | index = '' , |
|
$ | xss_clean = FALSE | |||
) |
Fetch an item from either the GET array or the POST
public
string | The index key | |
bool | XSS cleaning |
CI_Input::ip_address | ( | ) |
Fetch the IP Address
public
CI_Input::post | ( | $ | index = '' , |
|
$ | xss_clean = FALSE | |||
) |
Fetch an item from the POST array
public
string | ||
bool |
CI_Input::server | ( | $ | index = '' , |
|
$ | xss_clean = FALSE | |||
) |
Fetch an item from the SERVER array
public
string | ||
bool |
CI_Input::user_agent | ( | ) |
User Agent
public
CI_Input::valid_ip | ( | $ | ip | ) |
Validate IP Address
Updated version suggested by Geert De Deckere
public
string |
CI_Input::xss_clean | ( | $ | str, | |
$ | is_image = FALSE | |||
) |
XSS Clean
Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.
Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.
This function was based in part on some code and ideas I got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html
public
string |
CI_Input::xss_hash | ( | ) |
Random Hash for protecting URLs
public
CI_Input::$allow_get_array = FALSE |
CI_Input::$ip_address = FALSE |
CI_Input::$never_allowed_regex |
Initial value:
array( "javascript\s*:" => '[removed]', "expression\s*\(" => '[removed]', // CSS and IE "Redirect\s+302" => '[removed]' )
CI_Input::$never_allowed_str |
Initial value:
array( 'document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', 'window.location' => '[removed]', '-moz-binding' => '[removed]', '<!--' => '<!--', '-->' => '-->', '<![CDATA[' => '<![CDATA[' )
CI_Input::$use_xss_clean = FALSE |
CI_Input::$user_agent = FALSE |
CI_Input::$xss_hash = '' |