diff options
author | Derek Jones <derek.jones@ellislab.com> | 2008-05-15 22:13:14 +0200 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2008-05-15 22:13:14 +0200 |
commit | 63fc5fe5c6d8c9c8a2d693b0f65c3c8af8f2a74f (patch) | |
tree | 49410adf5480f72cf7df6599538b833abc5e31d0 /user_guide | |
parent | 66c474d848907bb91c316e9acbbcaba6a2591032 (diff) |
added ability to use xss_clean() to test images, and improved security for vectors particular to the Opera family of browsers
Diffstat (limited to 'user_guide')
-rw-r--r-- | user_guide/changelog.html | 6 | ||||
-rw-r--r-- | user_guide/libraries/input.html | 5 |
2 files changed, 11 insertions, 0 deletions
diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 28eb39d3b..e15cfc4f2 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -71,6 +71,12 @@ SVN Revision: not currently released</p> <li>Set the mime type check in the <a href="libraries/file_uploading.html">Upload class</a> to reference the global mimes variable.</li>
</ul>
</li>
+ <li>Other changes
+ <ul>
+ <li>Added ability to <a href="libraries/input.html">use xss_clean() to test images</a> for XSS, useful for upload security.</li>
+ <li>Improved security in xss_clean() for the Opera family of browsers.</li>
+ </ul>
+ </li>
</ul>
diff --git a/user_guide/libraries/input.html b/user_guide/libraries/input.html index 17ed7f0ff..c95ebbd98 100644 --- a/user_guide/libraries/input.html +++ b/user_guide/libraries/input.html @@ -109,7 +109,12 @@ Note: This function should only be used to deal with data upon submission. It's <p>Note: If you use the form validation class, it gives you the option of XSS filtering as well.</p>
+<p>An optional second parameter, <dfn>is_image</dfn>, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to <dfn>TRUE</dfn>, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.</p>
+<code>if ($this->input->xss_clean($file, TRUE) === FALSE)<br />
+{<br />
+ // file failed the XSS test<br />
+}</code>
<h2>Using POST, COOKIE, or SERVER Data</h2>
|