diff options
author | Greg Aker <greg.aker@ellislab.com> | 2011-04-27 08:47:47 +0200 |
---|---|---|
committer | Greg Aker <greg.aker@ellislab.com> | 2011-04-27 08:47:47 +0200 |
commit | a6507905578f1cf209776ae3d53099a005a06823 (patch) | |
tree | 9f23bb557f920034cf65c86059c84e37efd34d79 /user_guide/libraries/security.html | |
parent | 60ef4ea72e169e174ff8dbb421609a178a3c0c48 (diff) | |
parent | 25d495b4a2598f771a858108a2cd2e96f0130412 (diff) |
merging in changes
Diffstat (limited to 'user_guide/libraries/security.html')
-rw-r--r-- | user_guide/libraries/security.html | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/user_guide/libraries/security.html b/user_guide/libraries/security.html index 735187459..0cb1d0cb1 100644 --- a/user_guide/libraries/security.html +++ b/user_guide/libraries/security.html @@ -63,11 +63,11 @@ Security Class <h2>XSS Filtering</h2> <p>CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter -all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does <strong>not</strong> +all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does <strong>not</strong> run globally since it requires a bit of processing overhead, and since you may not need it in all cases.</p> <p>The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies -or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.</p> +or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.</p> <p> Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.</p> @@ -88,7 +88,7 @@ Note: This function should only be used to deal with data upon submission. It's <p>Note: If you use the form validation class, it gives you the option of XSS filtering as well.</p> -<p>An optional second parameter, <dfn>is_image</dfn>, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to <dfn>TRUE</dfn>, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.</p> +<p>An optional second parameter, <dfn>is_image</dfn>, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to <dfn>TRUE</dfn>, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.</p> <code>if ($this->security->xss_clean($file, TRUE) === FALSE)<br /> {<br /> @@ -98,7 +98,7 @@ Note: This function should only be used to deal with data upon submission. It's <h2>$this->security->sanitize_filename()</h2> -<p>When accepting filenames from user input, it is best to sanitize them to prevent directory traversal and other security related issues. To do so, use the <dfn>sanitize_filename()</dfn> method of the Security class. Here is an example:</p> +<p>When accepting filenames from user input, it is best to sanitize them to prevent directory traversal and other security related issues. To do so, use the <dfn>sanitize_filename()</dfn> method of the Security class. Here is an example:</p> <code>$filename = $this->security->sanitize_filename($this->input->post('filename'));</code> |