diff options
author | Andrey Andreev <narf@devilix.net> | 2014-01-08 16:19:03 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-01-08 16:19:03 +0100 |
commit | 80a16b1cd0d4716b5ea41497685a8fac02e34333 (patch) | |
tree | 3705897a0412c65f0ff4e01f6733a67217064bff /system/core/Input.php | |
parent | fb614478990694c3622baee2d01b414638c26508 (diff) |
Fix #346
When ['global_xss_filtering'] was turned on, the , , &
superglobals were automatically overwritten. This resulted in one of the following problems:
- xss_clean() being called twice
- Inability to retrieve the original (not filtered) value
XSS filtering is now only applied on demand by the Input class, and the default value for
the parameter in CI_Input methods is changed to NULL. Unless a boolean value is
passed to them, whether XSS filtering is applied depends on the ['global_xss_filtering']
value.
Diffstat (limited to 'system/core/Input.php')
-rw-r--r-- | system/core/Input.php | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/system/core/Input.php b/system/core/Input.php index 164867636..f5123fa5b 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -151,8 +151,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - protected function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE) + protected function _fetch_from_array(&$array, $index = '', $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + if (isset($array[$index])) { $value = $array[$index]; @@ -197,8 +199,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get($index = NULL, $xss_clean = FALSE) + public function get($index = NULL, $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + // Check if a field has been provided if ($index === NULL) { @@ -229,8 +233,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post($index = NULL, $xss_clean = FALSE) + public function post($index = NULL, $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + // Check if a field has been provided if ($index === NULL) { @@ -261,8 +267,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function post_get($index = '', $xss_clean = FALSE) + public function post_get($index = '', $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + return isset($_POST[$index]) ? $this->post($index, $xss_clean) : $this->get($index, $xss_clean); @@ -277,8 +285,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function get_post($index = '', $xss_clean = FALSE) + public function get_post($index = '', $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + return isset($_GET[$index]) ? $this->get($index, $xss_clean) : $this->post($index, $xss_clean); @@ -293,8 +303,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function cookie($index = '', $xss_clean = FALSE) + public function cookie($index = '', $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); } @@ -307,8 +319,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function server($index = '', $xss_clean = FALSE) + public function server($index = '', $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + return $this->_fetch_from_array($_SERVER, $index, $xss_clean); } @@ -323,8 +337,10 @@ class CI_Input { * @param bool $xss_clean Whether to apply XSS filtering * @return mixed */ - public function input_stream($index = '', $xss_clean = FALSE) + public function input_stream($index = '', $xss_clean = NULL) { + is_bool($xss_clean) OR $xss_clean = $this->_enable_xss; + // The input stream can only be read once, so we'll need to check // if we have already done that first. if (is_array($this->_input_stream)) @@ -760,12 +776,6 @@ class CI_Input { // Remove control characters $str = remove_invisible_characters($str, FALSE); - // Should we filter the input data? - if ($this->_enable_xss === TRUE) - { - $str = $this->security->xss_clean($str); - } - // Standardize newlines if needed if ($this->_standardize_newlines === TRUE) { |