Context Navigation

← Previous Change
Next Change →

Input.php

Timestamp:

10/04/2007 03:32:31 PM (14 months ago)

Author:

Shadowhand

Message:

Updated Input, replacing xss_clean() with a function by Christian Stocker. This function is blazing fast and does most of the right stuff.

Other changes are spit shine.

Files:

: 1 modified

trunk/system/libraries/Input.php (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/system/libraries/Input.php

r644	r648
19	19	* @orig_license http://www.codeigniter.com/user_guide/license.html
20	20	* @filesource
	21	*
21	22	* $Id$
22	23	*/
…	…
377	378	/**
378	379	* XSS Clean implemented by HTML Purifier
379		*
	380	*
380	381	* Note: This function should only be used to deal with data upon submission.
381	382	* It's not something that should be used for general runtime processing
382	383	* since it requires a fair amount of processing overhead.
383		*
384		* @access public
385		* @param string
386		* @return string
387		*/
388		public function xss_clean($str)
389		{
390		require SYSPATH.'vendor/htmlpurifier/HTMLPurifier.auto.php';
391		require 'HTMLPurifier.func.php';
392
393		$config = HTMLPurifier_Config::createDefault();
394		$config->set('HTML', 'TidyLevel', 'none'); // Only XSS cleaning now
395
396		return HTMLPurifier($str, $config);
	384	*
	385	* @access public
	386	* @param string
	387	* @return string
	388	*/
	389	public function xss_clean($string)
	390	{
	391	// http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
	392	// +----------------------------------------------------------------------+
	393	// \| Copyright (c) 2001-2006 Bitflux GmbH \|
	394	// +----------------------------------------------------------------------+
	395	// \| Licensed under the Apache License, Version 2.0 (the "License"); \|
	396	// \| you may not use this file except in compliance with the License. \|
	397	// \| You may obtain a copy of the License at \|
	398	// \| http://www.apache.org/licenses/LICENSE-2.0 \|
	399	// \| Unless required by applicable law or agreed to in writing, software \|
	400	// \| distributed under the License is distributed on an "AS IS" BASIS, \|
	401	// \| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or \|
	402	// \| implied. See the License for the specific language governing \|
	403	// \| permissions and limitations under the License. \|
	404	// +----------------------------------------------------------------------+
	405	// \| Author: Christian Stocker <chregu@bitflux.ch> \|
	406	// +----------------------------------------------------------------------+
	407	//
	408	// Kohana Modifications:
	409	// * Changed double quotes to single quotes, changed indenting and spacing
	410	//
	411	if (get_magic_quotes_gpc())
	412	{
	413	$string = stripslashes($string);
	414	}
	415	$string = str_replace(array('&','<','>'), array('&amp;','&lt;','&gt;'), $string);
	416	// fix &entitiy\n;
	417
	418	$string = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u', '$1;', $string);
	419	$string = preg_replace('#(&\#x)([0-9A-F]+);#iu', '$1$2;', $string);
	420	$string = html_entity_decode($string, ENT_COMPAT, 'UTF-8');
	421
	422	// remove any attribute starting with "on" or xmlns
	423	$string = preg_replace('#(<[^>]+[\x00-\x20\"\'])(on\|xmlns)[^>]*>#iUu', '$1>', $string);
	424	// remove javascript: and vbscript: protocol
	425	$string = preg_replace('#([a-z])[\x00-\x20]=[\x00-\x20]([\`\'\"])[\\x00-\x20]j[\x00-\x20]a[\x00-\x20]v[\x00-\x20]a[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]*:#iUu', '$1=$2nojavascript...', $string);
	426	$string = preg_replace('#([a-z])[\x00-\x20]=([\'\"])[\x00-\x20]v[\x00-\x20]b[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:#iUu', '$1=$2novbscript...', $string);
	427	$string = preg_replace('#([a-z])[\x00-\x20]=([\'\"])[\x00-\x20]-moz-binding[\x00-\x20]*:#Uu', '$1=$2nomozbinding...', $string);
	428	//<span style="width: expression(alert('Ping!'));"></span>
	429	// only works in ie...
	430	$string = preg_replace('#(<[^>]+)style[\x00-\x20]=[\x00-\x20]([\`\'\"]).expression[\x00-\x20]\([^>]>#iU', '$1>', $string);
	431	$string = preg_replace('#(<[^>]+)style[\x00-\x20]=[\x00-\x20]([\`\'\"]).behaviour[\x00-\x20]\([^>]>#iU', '$1>', $string);
	432	$string = preg_replace('#(<[^>]+)style[\x00-\x20]=[\x00-\x20]([\`\'\"]).s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:[^>]>#iUu', '$1>', $string);
	433	//remove namespaced elements (we do not need them...)
	434	$string = preg_replace('#</\w+:\w[^>]>#i', '',$string);
	435	//remove really unwanted tags
	436
	437	do {
	438	$oldstring = $string;
	439	$string = preg_replace('#</(applet\|meta\|xml\|blink\|link\|style\|script\|embed\|object\|iframe\|frame\|frameset\|ilayer\|layer\|bgsound\|title\|base)[^>]>#i',"",$string);
	440	} while ($oldstring != $string);
	441
	442	return $string;
397	443	}
398	444

Context Navigation

Changeset 648 for trunk/system/libraries/Input.php

Legend:

trunk/system/libraries/Input.php

Download in other formats: