summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2016-12-14 12:23:06 +0100
committerAndrey Andreev <narf@devilix.net>2016-12-14 12:23:06 +0100
commit4e0c208f24b0755c47905e17b82854c538a0c530 (patch)
tree4ab8c90fa0e17a8eb835370d14a11ce36bf4e700
parent8e37b8560c75d3994e59f401be977dcf386bb210 (diff)
Remove 'global_xss_filtering' config setting
-rw-r--r--application/config/config.php14
-rw-r--r--system/core/Input.php32
-rw-r--r--system/helpers/cookie_helper.php3
-rw-r--r--user_guide_src/source/changelog.rst1
-rw-r--r--user_guide_src/source/helpers/cookie_helper.rst2
-rw-r--r--user_guide_src/source/libraries/input.rst37
6 files changed, 20 insertions, 69 deletions
diff --git a/application/config/config.php b/application/config/config.php
index 535f0f817..d37af34b7 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -398,20 +398,6 @@ $config['cookie_httponly'] = FALSE;
/*
|--------------------------------------------------------------------------
-| Global XSS Filtering
-|--------------------------------------------------------------------------
-|
-| Determines whether the XSS filter is always active when GET, POST or
-| COOKIE data is encountered
-|
-| WARNING: This feature is DEPRECATED and currently available only
-| for backwards compatibility purposes!
-|
-*/
-$config['global_xss_filtering'] = FALSE;
-
-/*
-|--------------------------------------------------------------------------
| Cross Site Request Forgery
|--------------------------------------------------------------------------
| Enables a CSRF cookie token to be set. When set to TRUE, token will be
diff --git a/system/core/Input.php b/system/core/Input.php
index a6be7b517..d4f79ee68 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -58,17 +58,6 @@ class CI_Input {
protected $ip_address = FALSE;
/**
- * Enable XSS flag
- *
- * Determines whether the XSS filter is always active when
- * GET, POST or COOKIE data is encountered.
- * Set automatically based on config setting.
- *
- * @var bool
- */
- protected $_enable_xss = FALSE;
-
- /**
* Enable CSRF flag
*
* Enables a CSRF cookie token to be set.
@@ -119,7 +108,6 @@ class CI_Input {
*/
public function __construct()
{
- $this->_enable_xss = (config_item('global_xss_filtering') === TRUE);
$this->_enable_csrf = (config_item('csrf_protection') === TRUE);
$this->security =& load_class('Security', 'core');
@@ -154,10 +142,8 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = NULL)
+ protected function _fetch_from_array(&$array, $index = NULL, $xss_clean = FALSE)
{
- is_bool($xss_clean) OR $xss_clean = $this->_enable_xss;
-
// If $index is NULL, it means that the whole $array is requested
isset($index) OR $index = array_keys($array);
@@ -217,7 +203,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function get($index = NULL, $xss_clean = NULL)
+ public function get($index = NULL, $xss_clean = FALSE)
{
return $this->_fetch_from_array($_GET, $index, $xss_clean);
}
@@ -231,7 +217,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function post($index = NULL, $xss_clean = NULL)
+ public function post($index = NULL, $xss_clean = FALSE)
{
return $this->_fetch_from_array($_POST, $index, $xss_clean);
}
@@ -245,7 +231,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function post_get($index, $xss_clean = NULL)
+ public function post_get($index, $xss_clean = FALSE)
{
return isset($_POST[$index])
? $this->post($index, $xss_clean)
@@ -261,7 +247,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function get_post($index, $xss_clean = NULL)
+ public function get_post($index, $xss_clean = FALSE)
{
return isset($_GET[$index])
? $this->get($index, $xss_clean)
@@ -277,7 +263,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function cookie($index = NULL, $xss_clean = NULL)
+ public function cookie($index = NULL, $xss_clean = FALSE)
{
return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
}
@@ -291,7 +277,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function server($index, $xss_clean = NULL)
+ public function server($index, $xss_clean = FALSE)
{
return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
}
@@ -307,7 +293,7 @@ class CI_Input {
* @param bool $xss_clean Whether to apply XSS filtering
* @return mixed
*/
- public function input_stream($index = NULL, $xss_clean = NULL)
+ public function input_stream($index = NULL, $xss_clean = FALSE)
{
// Prior to PHP 5.6, the input stream can only be read once,
// so we'll need to check if we have already done that first.
@@ -561,7 +547,7 @@ class CI_Input {
*
* @return string|null User Agent string or NULL if it doesn't exist
*/
- public function user_agent($xss_clean = NULL)
+ public function user_agent($xss_clean = FALSE)
{
return $this->_fetch_from_array($_SERVER, 'HTTP_USER_AGENT', $xss_clean);
}
diff --git a/system/helpers/cookie_helper.php b/system/helpers/cookie_helper.php
index ca4324495..f8943fde3 100644
--- a/system/helpers/cookie_helper.php
+++ b/system/helpers/cookie_helper.php
@@ -85,9 +85,8 @@ if ( ! function_exists('get_cookie'))
* @param bool
* @return mixed
*/
- function get_cookie($index, $xss_clean = NULL)
+ function get_cookie($index, $xss_clean = FALSE)
{
- is_bool($xss_clean) OR $xss_clean = (config_item('global_xss_filtering') === TRUE);
$prefix = isset($_COOKIE[$index]) ? '' : config_item('cookie_prefix');
return get_instance()->input->cookie($prefix.$index, $xss_clean);
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index a0f91a148..1a1b0d537 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -12,6 +12,7 @@ Release Date: Not Released
- Changed :doc:`URI Library <libraries/uri>` to ignore the ``$config['url_suffix']``, ``$config['permitted_uri_chars']`` configuration settings for CLI requests.
- Removed previously deprecated ``$config['allow_get_array']``.
- Removed previously deprecated ``$config['standardize_newlines']``.
+ - Removed previously deprecated ``$config['global_xss_filtering']``.
- Removed previously deprecated :doc:`Input Library <libraries/input>` method ``is_cli_request()`` (use :php:func:`is_cli()` instead).
- Removed previously deprecated :doc:`Routing Class <general/routing>` methods ``fetch_directory()``, ``fetch_class()`` and ``fetch_method()`` (use the respective class properties instead).
- Removed previously deprecated :doc:`Config Library <libraries/config>` method ``system_url()`` (encourages insecure practices).
diff --git a/user_guide_src/source/helpers/cookie_helper.rst b/user_guide_src/source/helpers/cookie_helper.rst
index c9d2f419c..71e40a33c 100644
--- a/user_guide_src/source/helpers/cookie_helper.rst
+++ b/user_guide_src/source/helpers/cookie_helper.rst
@@ -42,7 +42,7 @@ The following functions are available:
a description of its use, as this function is an alias for
``CI_Input::set_cookie()``.
-.. php:function:: get_cookie($index[, $xss_clean = NULL])
+.. php:function:: get_cookie($index[, $xss_clean = FALSE])
:param string $index: Cookie name
:param bool $xss_clean: Whether to apply XSS filtering to the returned value
diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 8b816a567..1961e3e57 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -32,26 +32,6 @@ following:
turned on.
- Filters the GET/POST/COOKIE array keys, permitting only alpha-numeric
(and a few other) characters.
-- Provides XSS (Cross-site Scripting Hacks) filtering. This can be
- enabled globally, or upon request.
-
-XSS Filtering
-=============
-
-The Input class has the ability to filter input automatically to prevent
-cross-site scripting attacks. If you want the filter to run
-automatically every time it encounters POST or COOKIE data you can
-enable it by opening your *application/config/config.php* file and setting
-this::
-
- $config['global_xss_filtering'] = TRUE;
-
-Please refer to the :doc:`Security class <security>` documentation for
-information on using XSS Filtering in your application.
-
-.. important:: The 'global_xss_filtering' setting is DEPRECATED and kept
- solely for backwards-compatibility purposes. XSS escaping should
- be performed on *output*, not *input*!
*******************
Accessing form data
@@ -126,7 +106,7 @@ Class Reference
The property can be read multiple times.
- .. php:method:: post([$index = NULL[, $xss_clean = NULL]])
+ .. php:method:: post([$index = NULL[, $xss_clean = FALSE]])
:param mixed $index: POST parameter name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -143,7 +123,6 @@ Class Reference
The second optional parameter lets you run the data through the XSS
filter. It's enabled by setting the second parameter to boolean TRUE
- or by setting your ``$config['global_xss_filtering']`` to TRUE.
::
$this->input->post('some_data', TRUE);
@@ -169,7 +148,7 @@ Class Reference
$this->input->post(array('field1', 'field2'), TRUE);
- .. php:method:: get([$index = NULL[, $xss_clean = NULL]])
+ .. php:method:: get([$index = NULL[, $xss_clean = FALSE]])
:param mixed $index: GET parameter name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -202,7 +181,7 @@ Class Reference
$this->input->get(array('field1', 'field2'), TRUE);
- .. php:method:: post_get($index[, $xss_clean = NULL])
+ .. php:method:: post_get($index[, $xss_clean = FALSE])
:param string $index: POST/GET parameter name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -215,7 +194,7 @@ Class Reference
$this->input->post_get('some_data', TRUE);
- .. php:method:: get_post($index[, $xss_clean = NULL])
+ .. php:method:: get_post($index[, $xss_clean = FALSE])
:param string $index: GET/POST parameter name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -230,7 +209,7 @@ Class Reference
.. note:: This method used to act EXACTLY like ``post_get()``, but it's
behavior has changed in CodeIgniter 3.0.
- .. php:method:: cookie([$index = NULL[, $xss_clean = NULL]])
+ .. php:method:: cookie([$index = NULL[, $xss_clean = FALSE]])
:param mixed $index: COOKIE name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -253,7 +232,7 @@ Class Reference
function :php:func:`get_cookie()`, this method does NOT prepend
your configured ``$config['cookie_prefix']`` value.
- .. php:method:: server($index[, $xss_clean = NULL])
+ .. php:method:: server($index[, $xss_clean = FALSE])
:param mixed $index: Value name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -271,7 +250,7 @@ Class Reference
$this->input->server(array('SERVER_PROTOCOL', 'REQUEST_URI'));
- .. php:method:: input_stream([$index = NULL[, $xss_clean = NULL]])
+ .. php:method:: input_stream([$index = NULL[, $xss_clean = FALSE]])
:param mixed $index: Key name
:param bool $xss_clean: Whether to apply XSS filtering
@@ -386,7 +365,7 @@ Class Reference
Accepts an optional second string parameter of 'ipv4' or 'ipv6' to specify
an IP format. The default checks for both formats.
- .. php:method:: user_agent([$xss_clean = NULL])
+ .. php:method:: user_agent([$xss_clean = FALSE])
:returns: User agent string or NULL if not set
:param bool $xss_clean: Whether to apply XSS filtering