Documentation

Xcrud_xss
in package

Based on Security class by CodeIgniter

Tags
author

ExpressionEngine Dev Team

Table of Contents

$_never_allowed_regex  : array<string|int, mixed>
List of never allowed regex replacement
$_never_allowed_str  : mixed
__construct()  : void
Constructor
entity_decode()  : string
HTML Entities Decode
sanitize_filename()  : string
Filename Security
xss_clean()  : string
XSS Clean
_compact_exploded_words()  : type
Compact Exploded Words
_convert_attribute()  : string
Attribute Conversion
_decode_entity()  : string
HTML Entity Decode Callback
_do_never_allowed()  : string
Do Never Allowed
_filter_attributes()  : string
Filter Attributes
_js_img_removal()  : string
JS Image Removal
_js_link_removal()  : string
JS Link Removal
_remove_evil_attributes()  : mixed
_remove_invisible_characters()  : mixed
_sanitize_naughty_html()  : string
Sanitize Naughty HTML
_validate_entities()  : string
Validate URL entities

Properties

$_never_allowed_regex

List of never allowed regex replacement

protected array<string|int, mixed> $_never_allowed_regex = array( 'javascript\s*:', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'Redirect\s+302', "(["'])?data\s*:[^\1]*?base64[^\1]*?,[^\1]*?\1?", )
Tags
access

protected

$_never_allowed_str

protected mixed $_never_allowed_str = array('document.cookie' => '[removed]', 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', 'window.location' => '[removed]', '-moz-binding' => '[removed]', '<!--' => '&lt;!--', '-->' => '--&gt;', '<![CDATA[' => '&lt;![CDATA[', '<comment>' => '&lt;comment&gt;')

Methods

__construct()

Constructor

public __construct() : void
Return values
void

entity_decode()

HTML Entities Decode

public entity_decode(mixed $str[, mixed $charset = 'UTF-8' ]) : string

This function is a replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

Parameters
$str : mixed
$charset : mixed = 'UTF-8'
Return values
string

sanitize_filename()

Filename Security

public sanitize_filename(mixed $str[, mixed $relative_path = FALSE ]) : string
Parameters
$str : mixed
$relative_path : mixed = FALSE
Return values
string

xss_clean()

XSS Clean

public xss_clean(mixed $str[, mixed $is_image = FALSE ]) : string

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

This function was based in part on some code and ideas I got from Bitflux: http://channel.bitflux.ch/wiki/XSS_Prevention

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html

Parameters
$str : mixed
$is_image : mixed = FALSE
Return values
string

_compact_exploded_words()

Compact Exploded Words

protected _compact_exploded_words(mixed $matches) : type

Callback function for xss_clean() to remove whitespace from things like j a v a s c r i p t

Parameters
$matches : mixed
Return values
type

_convert_attribute()

Attribute Conversion

protected _convert_attribute(mixed $match) : string

Used as a callback for XSS Clean

Parameters
$match : mixed
Return values
string

_decode_entity()

HTML Entity Decode Callback

protected _decode_entity(mixed $match) : string

Used as a callback for XSS Clean

Parameters
$match : mixed
Return values
string

_do_never_allowed()

Do Never Allowed

protected _do_never_allowed(mixed $str) : string

A utility function for xss_clean()

Parameters
$str : mixed
Return values
string

_filter_attributes()

Filter Attributes

protected _filter_attributes(mixed $str) : string

Filters tag attributes for consistency and safety

Parameters
$str : mixed
Return values
string

_js_img_removal()

JS Image Removal

protected _js_img_removal(mixed $match) : string

Callback function for xss_clean() to sanitize image tags This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings

Parameters
$match : mixed
Return values
string

JS Link Removal

protected _js_link_removal(mixed $match) : string

Callback function for xss_clean() to sanitize links This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings

Parameters
$match : mixed
Return values
string

_remove_evil_attributes()

protected _remove_evil_attributes(mixed $str, mixed $is_image) : mixed
Parameters
$str : mixed
$is_image : mixed
Return values
mixed

_remove_invisible_characters()

protected _remove_invisible_characters(mixed $str[, mixed $url_encoded = TRUE ]) : mixed
Parameters
$str : mixed
$url_encoded : mixed = TRUE
Return values
mixed

_sanitize_naughty_html()

Sanitize Naughty HTML

protected _sanitize_naughty_html(mixed $matches) : string

Callback function for xss_clean() to remove naughty HTML elements

Parameters
$matches : mixed
Return values
string

_validate_entities()

Validate URL entities

protected _validate_entities(mixed $str) : string

Called by xss_clean()

Parameters
$str : mixed
Return values
string

Search results