summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorAndrey Andreev <narf@bofh.bg>2012-04-27 11:15:47 +0200
committerAndrey Andreev <narf@bofh.bg>2012-04-27 11:15:47 +0200
commit5815dba069428514ce39e745328a898fc877773f (patch)
tree9ba5c1dc7bef0458c5f89e573f1b2acf05f3c688 /system/core/Security.php
parent9c9591c9b4a1d7ac412f7a85aeb5c92f50aa3490 (diff)
parentced2c9ab41450cb632c042730604111ec2a24e1f (diff)
Merge upstream branch
Diffstat (limited to 'system/core/Security.php')
-rwxr-xr-xsystem/core/Security.php99
1 files changed, 51 insertions, 48 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index ac39ce97b..974e2e428 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -41,14 +41,14 @@ class CI_Security {
*
* @var string
*/
- protected $_xss_hash = '';
+ protected $_xss_hash = '';
/**
* Random Hash for Cross Site Request Forgery Protection Cookie
*
* @var string
*/
- protected $_csrf_hash = '';
+ protected $_csrf_hash = '';
/**
* Expiration time for Cross Site Request Forgery Protection Cookie
@@ -56,52 +56,55 @@ class CI_Security {
*
* @var int
*/
- protected $_csrf_expire = 7200;
+ protected $_csrf_expire = 7200;
/**
* Token name for Cross Site Request Forgery Protection Cookie
*
* @var string
*/
- protected $_csrf_token_name = 'ci_csrf_token';
+ protected $_csrf_token_name = 'ci_csrf_token';
/**
* Cookie name for Cross Site Request Forgery Protection Cookie
*
* @var string
*/
- protected $_csrf_cookie_name = 'ci_csrf_token';
+ protected $_csrf_cookie_name = 'ci_csrf_token';
/**
* List of never allowed strings
*
* @var array
*/
- protected $_never_allowed_str = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;',
- '<![CDATA[' => '&lt;![CDATA[',
- '<comment>' => '&lt;comment&gt;'
- );
+ protected $_never_allowed_str = array(
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
+ 'window.location' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;',
+ '<![CDATA[' => '&lt;![CDATA[',
+ '<comment>' => '&lt;comment&gt;'
+ );
/**
* List of never allowed regex replacement
*
* @var array
*/
- protected $_never_allowed_regex = array(
- 'javascript\s*:',
- 'expression\s*(\(|&\#40;)', // CSS and IE
- 'vbscript\s*:', // IE, surprise!
- 'Redirect\s+302'
- );
+ protected $_never_allowed_regex = array(
+ 'javascript\s*:',
+ 'expression\s*(\(|&\#40;)', // CSS and IE
+ 'vbscript\s*:', // IE, surprise!
+ 'Redirect\s+302'
+ );
+ /**
+ * Initialize security class
+ */
public function __construct()
{
// Is CSRF protection enabled?
@@ -362,9 +365,9 @@ class CI_Security {
* These words are compacted back to their correct state.
*/
$words = array(
- 'javascript', 'expression', 'vbscript', 'script',
- 'applet', 'alert', 'document', 'write', 'cookie', 'window'
- );
+ 'javascript', 'expression', 'vbscript', 'script',
+ 'applet', 'alert', 'document', 'write', 'cookie', 'window'
+ );
foreach ($words as $word)
{
@@ -522,23 +525,23 @@ class CI_Security {
public function sanitize_filename($str, $relative_path = FALSE)
{
$bad = array(
- '../', '<!--', '-->', '<', '>',
- "'", '"', '&', '$', '#',
- '{', '}', '[', ']', '=',
- ';', '?', '%20', '%22',
- '%3c', // <
- '%253c', // <
- '%3e', // >
- '%0e', // >
- '%28', // (
- '%29', // )
- '%2528', // (
- '%26', // &
- '%24', // $
- '%3f', // ?
- '%3b', // ;
- '%3d' // =
- );
+ '../', '<!--', '-->', '<', '>',
+ "'", '"', '&', '$', '#',
+ '{', '}', '[', ']', '=',
+ ';', '?', '%20', '%22',
+ '%3c', // <
+ '%253c', // <
+ '%3e', // >
+ '%0e', // >
+ '%28', // (
+ '%29', // )
+ '%2528', // (
+ '%26', // &
+ '%24', // $
+ '%3f', // ?
+ '%3b', // ;
+ '%3d' // =
+ );
if ( ! $relative_path)
{
@@ -558,8 +561,8 @@ class CI_Security {
* Callback function for xss_clean() to remove whitespace from
* things like j a v a s c r i p t
*
- * @param type
- * @return type
+ * @param array
+ * @return string
*/
protected function _compact_exploded_words($matches)
{
@@ -568,8 +571,8 @@ class CI_Security {
// --------------------------------------------------------------------
- /*
- * Remove Evil HTML Attributes (like evenhandlers and style)
+ /**
+ * Remove Evil HTML Attributes (like event handlers and style)
*
* It removes the evil attribute and either:
* - Everything up until a space
@@ -838,4 +841,4 @@ class CI_Security {
}
/* End of file Security.php */
-/* Location: ./system/core/Security.php */
+/* Location: ./system/core/Security.php */ \ No newline at end of file