diff options
author | Derek Jones <derek.jones@ellislab.com> | 2008-05-13 16:44:32 +0200 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2008-05-13 16:44:32 +0200 |
commit | e3332b0ab5dfcc42994fe4c2c1827f4e41f35c7b (patch) | |
tree | caa0896cbe168bd39576981ff21720d3b4a49fba /system | |
parent | a065bab0fb0fdd6c0012db137ab8e065b131a2e9 (diff) |
increased security and performance of xss_clean(), added _sanitize_naughty_html() callback and removed "never allowed" items to a class property
Diffstat (limited to 'system')
-rw-r--r-- | system/libraries/Input.php | 80 |
1 files changed, 56 insertions, 24 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 978d1ff34..c86a3cec0 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -32,7 +32,26 @@ class CI_Input { var $ip_address = FALSE;
var $user_agent = FALSE;
var $allow_get_array = FALSE;
-
+
+ /* never allowed, string replacement */
+ var $never_allowed_str = array(
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
+ 'window.location' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '<!--',
+ '-->' => '-->',
+ '<![CDATA[' => '<![CDATA['
+ );
+ /* never allowed, regex replacement */
+ var $never_allowed_regex = array(
+ "javascript\s*:" => '[removed]',
+ "expression\s*\(" => '[removed]', // CSS and IE
+ "Redirect\s+302" => '[removed]'
+ );
+
/**
* Constructor
*
@@ -663,30 +682,13 @@ class CI_Input { /*
* Not Allowed Under Any Conditions
*/
- $bad = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '<!--',
- '-->' => '-->',
- '<![CDATA[' => '<![CDATA['
- );
-
- foreach ($bad as $key => $val)
+
+ foreach ($this->never_allowed_str as $key => $val)
{
$str = str_replace($key, $val, $str);
}
-
- $bad = array(
- "javascript\s*:" => '[removed]',
- "expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]'
- );
-
- foreach ($bad as $key => $val)
+
+ foreach ($this->never_allowed_regex as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}
@@ -774,7 +776,8 @@ class CI_Input { * Becomes: <blink>
*
*/
- $str = preg_replace('#<(/*\s*)(alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $str);
+ $naughty = 'alert|applet|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|layer|link|meta|object|plaintext|style|script|textarea|title|xml|xss';
+ $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
/*
* Sanitize naughty scripting elements
@@ -807,7 +810,7 @@ class CI_Input { '-moz-binding' => '[removed]',
'<!--' => '<!--',
'-->' => '-->',
- '<!CDATA[' => '<![CDATA['
+ '<![CDATA[' => '<![CDATA['
);
foreach ($bad as $key => $val)
@@ -855,7 +858,36 @@ class CI_Input { }
// --------------------------------------------------------------------
+
+ /**
+ * Sanitize Naughty HTML
+ *
+ * Callback function for xss_clean() to remove naughty HTML elements
+ *
+ * @access private
+ * @param array
+ * @return string
+ */
+ function _sanitize_naughty_html($matches)
+ {
+ // encode opening brace
+ $str = '<'.$matches[1].$matches[2].$matches[3];
+
+ // encode captured opening or closing brace to prevent recursive vectors
+ if ($matches[4] == '>')
+ {
+ $str .= '>';
+ }
+ elseif ($matches[4] == '<')
+ {
+ $str .= '<';
+ }
+ return $str;
+ }
+
+ // --------------------------------------------------------------------
+
/**
* JS Link Removal
*
|