summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoradmin <devnull@localhost>2006-10-03 21:17:59 +0200
committeradmin <devnull@localhost>2006-10-03 21:17:59 +0200
commit04ea44e4327be7ae3a9dfb55bfd77e9ec8c7c92d (patch)
tree19403de29010413e15232ea0af0dc5c8a7ade8e4
parenta813a46adc7eefa9ec3835e07f3b57ab5d870d27 (diff)
-rw-r--r--system/libraries/Input.php116
-rw-r--r--user_guide/general/changelog.html1
2 files changed, 52 insertions, 65 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 41d77a97a..98c2cbd55 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -42,14 +42,13 @@ class CI_Input {
*/
function CI_Input()
{
+ log_message('debug', "Input Class Initialized");
+
$CFG =& _load_class('Config');
$this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE;
- $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
-
- log_message('debug', "Input Class Initialized");
+ $this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
$this->_sanitize_globals();
}
- // END CI_Input()
// --------------------------------------------------------------------
@@ -81,11 +80,11 @@ class CI_Input {
foreach ($global as $key => $val)
{
unset($$key);
- }
+ }
}
}
- // Is $_GET data allowed?
+ // Is $_GET data allowed? If not we'll set the $_GET to an empty array
if ($this->allow_get_array == FALSE)
{
$_GET = array();
@@ -95,33 +94,22 @@ class CI_Input {
if (is_array($_POST) AND count($_POST) > 0)
{
foreach($_POST as $key => $val)
- {
- if (is_array($val))
- {
- foreach($val as $k => $v)
- {
- $_POST[$this->_clean_input_keys($key)][$this->_clean_input_keys($k)] = $this->_clean_input_data($v);
- }
- }
- else
- {
- $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
- }
- }
+ {
+ $_POST[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
+ }
}
// Clean $_COOKIE Data
if (is_array($_COOKIE) AND count($_COOKIE) > 0)
{
foreach($_COOKIE as $key => $val)
- {
+ {
$_COOKIE[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
- }
+ }
}
log_message('debug', "Global POST and COOKIE data sanitized");
}
- // END _sanitize_globals()
// --------------------------------------------------------------------
@@ -142,7 +130,7 @@ class CI_Input {
$new_array = array();
foreach ($str as $key => $val)
{
- $new_array[$key] = $this->_clean_input_data($val);
+ $new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
}
return $new_array;
}
@@ -152,9 +140,9 @@ class CI_Input {
$str = $this->xss_clean($str);
}
+ // Standardize newlines
return preg_replace("/\015\012|\015|\012/", "\n", $str);
}
- // END _clean_input_data()
// --------------------------------------------------------------------
@@ -170,7 +158,7 @@ class CI_Input {
* @return string
*/
function _clean_input_keys($str)
- {
+ {
if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
{
exit('Disallowed Key Characters: '.$str);
@@ -183,7 +171,6 @@ class CI_Input {
return $str;
}
- // END _clean_input_keys()
// --------------------------------------------------------------------
@@ -200,19 +187,24 @@ class CI_Input {
{
return FALSE;
}
- else
+
+ if ($xss_clean === TRUE)
{
- if ($xss_clean === TRUE)
+ if (is_array($_POST[$index]))
{
- return $this->xss_clean($_POST[$index]);
+ foreach($_POST[$index] as $key => $val)
+ {
+ $_POST[$index][$key] = $this->xss_clean($val);
+ }
}
else
{
- return $_POST[$index];
+ return $this->xss_clean($_POST[$index]);
}
}
+
+ return $_POST[$index];
}
- // END post()
// --------------------------------------------------------------------
@@ -229,32 +221,29 @@ class CI_Input {
{
return FALSE;
}
- else
- {
- if ($xss_clean === TRUE)
+
+ if ($xss_clean === TRUE)
+ {
+ if (is_array($_COOKIE[$index]))
{
- if (is_array($_COOKIE[$index]))
- {
- $cookie = array();
- foreach($_COOKIE[$index] as $key => $val)
- {
- $cookie[$key] = $this->xss_clean($val);
- }
-
- return $cookie;
- }
- else
+ $cookie = array();
+ foreach($_COOKIE[$index] as $key => $val)
{
- return $this->xss_clean($_COOKIE[$index]);
+ $cookie[$key] = $this->xss_clean($val);
}
+
+ return $cookie;
}
else
{
- return $_COOKIE[$index];
+ return $this->xss_clean($_COOKIE[$index]);
}
}
+ else
+ {
+ return $_COOKIE[$index];
+ }
}
- // END cookie()
// --------------------------------------------------------------------
@@ -297,7 +286,6 @@ class CI_Input {
return $this->ip_address;
}
- // END ip_address()
// --------------------------------------------------------------------
@@ -312,7 +300,6 @@ class CI_Input {
{
return ( ! preg_match( "/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $ip)) ? FALSE : TRUE;
}
- // END valid_ip()
// --------------------------------------------------------------------
@@ -333,7 +320,6 @@ class CI_Input {
return $this->user_agent;
}
- // END user_agent()
// --------------------------------------------------------------------
@@ -403,8 +389,8 @@ class CI_Input {
*
*/
$str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
- $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
-
+ $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
+
/*
* Convert character entities to ASCII
*
@@ -414,8 +400,8 @@ class CI_Input {
*
*/
- if (preg_match_all("/<(.+?)>/si", $str, $matches))
- {
+ if (preg_match_all("/<(.+?)>/si", $str, $matches))
+ {
for ($i = 0; $i < count($matches['0']); $i++)
{
$str = str_replace($matches['1'][$i],
@@ -532,12 +518,12 @@ class CI_Input {
$str = preg_replace("#".$key."#i", $val, $str);
}
-
+
log_message('debug', "XSS Filtering completed");
return $str;
}
- // END xss_clean()
+ // --------------------------------------------------------------------
/**
* HTML Entities Decode
@@ -555,14 +541,14 @@ class CI_Input {
* @return string
*/
/* -------------------------------------------------
- /* Replacement for html_entity_decode()
- /* -------------------------------------------------*/
-
- /*
- NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
- character set, and the PHP developers said they were not back porting the
- fix to versions other than PHP 5.x.
- */
+ /* Replacement for html_entity_decode()
+ /* -------------------------------------------------*/
+
+ /*
+ NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
+ character set, and the PHP developers said they were not back porting the
+ fix to versions other than PHP 5.x.
+ */
function _html_entity_decode($str, $charset='ISO-8859-1')
{
if (stristr($str, '&') === FALSE) return $str;
diff --git a/user_guide/general/changelog.html b/user_guide/general/changelog.html
index b8fceaa6d..4373de76d 100644
--- a/user_guide/general/changelog.html
+++ b/user_guide/general/changelog.html
@@ -79,6 +79,7 @@ Change Log
<li>Added <a href="../database/queries.html">simple_query()</a> function to the database classes</li>
<li>Added <a href="../helpers/date_helper.html">standard_date()</a> function to the Date Helper.</li>
<li>Updated the DB Result class to return an empty array when $query->result() doesn't produce a result.</li>
+<li>Updated the <dfn>input->cookie()</dfn> and <dfn>input->post()</dfn> functions in <a href="../libraries/input.html">Input Class</a> to permit arrays contained cookies that are arrays to be run through the XSS filter.</li>
<li>Added $query->free_result();</li>
<li>Added $query->field_names() function</li>