added ability to use xss_clean() to test images, and improved security for vectors particular to the Opera family of browsers

2 files changed, 11 insertions, 0 deletions

diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 28eb39d3b..e15cfc4f2 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -71,6 +71,12 @@ SVN Revision: not currently released</p>
 			<li>Set the mime type check in the <a href="libraries/file_uploading.html">Upload class</a> to reference the global mimes variable.</li>

 		</ul>

 	</li>

+	<li>Other changes

+		<ul>

+			<li>Added ability to <a href="libraries/input.html">use xss_clean() to test images</a> for XSS, useful for upload security.</li>

+			<li>Improved security in xss_clean() for the Opera family of browsers.</li>

+		</ul>

+	</li>

 </ul>

 

 

diff --git a/user_guide/libraries/input.html b/user_guide/libraries/input.html
index 17ed7f0ff..c95ebbd98 100644
--- a/user_guide/libraries/input.html
+++ b/user_guide/libraries/input.html
@@ -109,7 +109,12 @@ Note: This function should only be used to deal with data upon submission. It's
 

 <p>Note: If you use the form validation class, it gives you the option of XSS filtering as well.</p>

 

+<p>An optional second parameter, <dfn>is_image</dfn>, allows this function to be used to test images for potential XSS attacks, useful for file upload security.  When this second parameter is set to <dfn>TRUE</dfn>, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.</p>

 

+<code>if ($this->input->xss_clean($file, TRUE) === FALSE)<br />

+{<br />

+&nbsp;&nbsp;&nbsp;&nbsp;// file failed the XSS test<br />

+}</code>

 

 

 <h2>Using POST, COOKIE, or SERVER Data</h2>