Context Navigation

← Previous Changeset
Next Changeset →

Changeset 648

Timestamp:

10/04/2007 03:32:31 PM (12 months ago)

Author:

Shadowhand

Message:

Updated Input, replacing xss_clean() with a function by Christian Stocker. This function is blazing fast and does most of the right stuff.

Other changes are spit shine.

Location:

trunk

Files:

: 7 modified

application/config/config.php (modified) (1 diff)
system/libraries/Input.php (modified) (2 diffs)
system/libraries/Loader.php (modified) (6 diffs)
system/libraries/Model.php (modified) (1 diff)
system/libraries/Upload.php (modified) (1 diff)
system/libraries/User_agent.php (modified) (1 diff)
system/libraries/View.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/application/config/config.php

r647	r648
58	58	*/
59	59	$config['permitted_uri_chars'] = 'a-z 0-9~%.:_-';
	60
	61	/*
	62	\| -----------------------------------------------------------------------------
	63	\| Global XSS Filtering
	64	\| -----------------------------------------------------------------------------
	65	\|
	66	\| Enable or disable global XSS (Cross-Site-Scripting) attack filtering on all
	67	\| user input, include POST, GET, and FILES.
	68	\|
	69	*/
	70	$config['global_xss_filtering'] = TRUE;
60	71
61	72	/*

trunk/system/libraries/Input.php

r644	r648
19	19	* @orig_license http://www.codeigniter.com/user_guide/license.html
20	20	* @filesource
	21	*
21	22	* $Id$
22	23	*/
…	…
377	378	/**
378	379	* XSS Clean implemented by HTML Purifier
379		*
	380	*
380	381	* Note: This function should only be used to deal with data upon submission.
381	382	* It's not something that should be used for general runtime processing
382	383	* since it requires a fair amount of processing overhead.
383		*
384		* @access public
385		* @param string
386		* @return string
387		*/
388		public function xss_clean($str)
389		{
390		require SYSPATH.'vendor/htmlpurifier/HTMLPurifier.auto.php';
391		require 'HTMLPurifier.func.php';
392
393		$config = HTMLPurifier_Config::createDefault();
394		$config->set('HTML', 'TidyLevel', 'none'); // Only XSS cleaning now
395
396		return HTMLPurifier($str, $config);
	384	*
	385	* @access public
	386	* @param string
	387	* @return string
	388	*/
	389	public function xss_clean($string)
	390	{
	391	// http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
	392	// +----------------------------------------------------------------------+
	393	// \| Copyright (c) 2001-2006 Bitflux GmbH \|
	394	// +----------------------------------------------------------------------+
	395	// \| Licensed under the Apache License, Version 2.0 (the "License"); \|
	396	// \| you may not use this file except in compliance with the License. \|
	397	// \| You may obtain a copy of the License at \|
	398	// \| http://www.apache.org/licenses/LICENSE-2.0 \|
	399	// \| Unless required by applicable law or agreed to in writing, software \|
	400	// \| distributed under the License is distributed on an "AS IS" BASIS, \|
	401	// \| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or \|
	402	// \| implied. See the License for the specific language governing \|
	403	// \| permissions and limitations under the License. \|
	404	// +----------------------------------------------------------------------+
	405	// \| Author: Christian Stocker <chregu@bitflux.ch> \|
	406	// +----------------------------------------------------------------------+
	407	//
	408	// Kohana Modifications:
	409	// * Changed double quotes to single quotes, changed indenting and spacing
	410	//
	411	if (get_magic_quotes_gpc())
	412	{
	413	$string = stripslashes($string);
	414	}
	415	$string = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $string);
	416	// fix &entitiy\n;
	417
	418	$string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u', '$1;', $string);
	419	$string = preg_replace('#(&\#x)([0-9A-F]+);#iu', '$1$2;', $string);
	420	$string = html_entity_decode($string, ENT_COMPAT, 'UTF-8');
	421
	422	// remove any attribute starting with "on" or xmlns
	423	$string = preg_replace('#(<[^>]+[\x00-\x20\"\'])(on\|xmlns)[^>]*>#iUu', '$1>', $string);
	424	// remove javascript: and vbscript: protocol
	425	$string = preg_replace('#([a-z])[\x00-\x20]=[\x00-\x20]([\`\'\"])[\\x00-\x20]j[\x00-\x20]a[\x00-\x20]v[\x00-\x20]a[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string);
	426	$string = preg_replace('#([a-z])[\x00-\x20]=([\'\"])[\x00-\x20]v[\x00-\x20]b[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:#iUu', '$1=$2novbscript...', $string);
	427	$string = preg_replace('#([a-z])[\x00-\x20]=([\'\"])[\x00-\x20]-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string);
	428	//<span style="width: expression(alert('Ping!'));"></span>
	429	// only works in ie...
	430	$string = preg_replace('#(<[^>]+)style[\x00-\x20]=[\x00-\x20]([\`\'\"]).expression[\x00-\x20]\([^>]>#iU', '$1>', $string);
	431	$string = preg_replace('#(<[^>]+)style[\x00-\x20]=[\x00-\x20]([\`\'\"]).behaviour[\x00-\x20]\([^>]>#iU', '$1>', $string);
	432	$string = preg_replace('#(<[^>]+)style[\x00-\x20]=[\x00-\x20]([\`\'\"]).s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:[^>]>#iUu', '$1>', $string);
	433	//remove namespaced elements (we do not need them...)
	434	$string = preg_replace('#</\w+:\w[^>]>#i', '',$string);
	435	//remove really unwanted tags
	436
	437	do {
	438	$oldstring = $string;
	439	$string = preg_replace('#</(applet\|meta\|xml\|blink\|link\|style\|script\|embed\|object\|iframe\|frame\|frameset\|ilayer\|layer\|bgsound\|title\|base)[^>]>#i',"",$string);
	440	} while ($oldstring != $string);
	441
	442	return $string;
397	443	}
398	444

trunk/system/libraries/Loader.php

r644	r648
35	35	public function library($name, $config = array())
36	36	{
	37	if (isset(Kohana::instance()->$name))
	38	return FALSE;
	39
37	40	Kohana::instance()->$name = Kohana::load_class(ucfirst($name), $config);
38	41	}
…	…
40	43	public function database($group = 'default', $return = FALSE)
41	44	{
	45	// Return the new database object
42	46	if ($return == TRUE)
43	47	{
…	…
46	50	else
47	51	{
	52	// Set the database object to Controller->db
48	53	Kohana::instance()->db = new Database($group);
49	54	}
…	…
52	57	public function helper($name)
53	58	{
	59	// Allow recursive loading
54	60	if (is_array($name))
55	61	{
…	…
69	75	public function model($name, $alias = FALSE)
70	76	{
	77	// The alias is used for Controller->alias
71	78	$alias = ($alias == FALSE) ? $name : $alias;
	79
	80	if (isset(Kohana::instance()->$alias))
	81	return FALSE;
	82
	83	// Load the model
72	84	Kohana::instance()->$alias = Kohana::load_class(ucfirst($name).'_Model');
	85
	86	// Load Database into the DB
73	87	Kohana::instance()->$alias->db = (isset(Kohana::instance()->db)) ? Kohana::instance()->db : new Database('default');
74	88	}
…	…
76	90	public function view($name, $data = array())
77	91	{
	92	// Fancy! wink
78	93	return new View($name, $data);
79	94	}

trunk/system/libraries/Model.php

r644	r648
1		<?php
	1	<?php defined('SYSPATH') or die('No direct script access.');
2	2
3		class Model_Core {
4
5
6		}
	3	class Model_Core {}

trunk/system/libraries/Upload.php

r644	r648
1		<?php ~~if (!defined('SYSPATH')) exit('No direct script access allowed~~');
	1	<?php defined('SYSPATH') or die('No direct script access.');
2	2	/**
3	3	* Kohana

trunk/system/libraries/User_agent.php

r647	r648
1		<?php ~~if (!defined('SYSPATH')) exit('No direct script access allowed~~');
	1	<?php defined('SYSPATH') or die('No direct script access.');
2	2	/**
3	3	* Kohana

trunk/system/libraries/View.php

r644	r648
42	42	public function __construct($name, $data = NULL)
43	43	{
44		if (preg_match('/\.(~~gif\|jp~~g\|png\|swf\|js\|css)$/Di', $name, $type))
	44	if (preg_match('/\.([g\|t]if\|jpe?g\|png\|swf\|js\|css)$/Di', $name, $type))
45	45	{
46	46	$type = $type[1];