summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/libraries/security.rst
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2011-10-05 20:34:52 +0200
committerDerek Jones <derek.jones@ellislab.com>2011-10-05 20:34:52 +0200
commit8ede1a2ecbb62577afd32996956c5feaf7ddf9b6 (patch)
tree2e960ec3b416b477f40bb546371f2d486f4a22f0 /user_guide_src/source/libraries/security.rst
parentd1ecd5cd4ae6ab5d37df9fbda14b93977b9e743c (diff)
replacing the old HTML user guide with a Sphinx-managed user guide
Diffstat (limited to 'user_guide_src/source/libraries/security.rst')
-rw-r--r--user_guide_src/source/libraries/security.rst90
1 files changed, 90 insertions, 0 deletions
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
new file mode 100644
index 000000000..340cf4d73
--- /dev/null
+++ b/user_guide_src/source/libraries/security.rst
@@ -0,0 +1,90 @@
+##############
+Security Class
+##############
+
+The Security Class contains methods that help you create a secure
+application, processing input data for security.
+
+XSS Filtering
+=============
+
+CodeIgniter comes with a Cross Site Scripting Hack prevention filter
+which can either run automatically to filter all POST and COOKIE data
+that is encountered, or you can run it on a per item basis. By default
+it does **not** run globally since it requires a bit of processing
+overhead, and since you may not need it in all cases.
+
+The XSS filter looks for commonly used techniques to trigger Javascript
+or other types of code that attempt to hijack cookies or do other
+malicious things. If anything disallowed is encountered it is rendered
+safe by converting the data to character entities.
+
+Note: This function should only be used to deal with data upon
+submission. It's not something that should be used for general runtime
+processing since it requires a fair amount of processing overhead.
+
+To filter data through the XSS filter use this function:
+
+$this->security->xss_clean()
+=============================
+
+Here is an usage example::
+
+ $data = $this->security->xss_clean($data);
+
+If you want the filter to run automatically every time it encounters
+POST or COOKIE data you can enable it by opening your
+application/config/config.php file and setting this::
+
+ $config['global_xss_filtering'] = TRUE;
+
+Note: If you use the form validation class, it gives you the option of
+XSS filtering as well.
+
+An optional second parameter, is_image, allows this function to be used
+to test images for potential XSS attacks, useful for file upload
+security. When this second parameter is set to TRUE, instead of
+returning an altered string, the function returns TRUE if the image is
+safe, and FALSE if it contained potentially malicious information that a
+browser may attempt to execute.
+
+::
+
+ if ($this->security->xss_clean($file, TRUE) === FALSE) {     // file failed the XSS test }
+
+$this->security->sanitize_filename()
+=====================================
+
+When accepting filenames from user input, it is best to sanitize them to
+prevent directory traversal and other security related issues. To do so,
+use the sanitize_filename() method of the Security class. Here is an
+example::
+
+ $filename = $this->security->sanitize_filename($this->input->post('filename'));
+
+If it is acceptable for the user input to include relative paths, e.g.
+file/in/some/approved/folder.txt, you can set the second optional
+parameter, $relative_path to TRUE.
+
+::
+
+ $filename = $this->security->sanitize_filename($this->input->post('filename'), TRUE);
+
+Cross-site request forgery (CSRF)
+=================================
+
+You can enable csrf protection by opening your
+application/config/config.php file and setting this::
+
+ $config['csrf_protection'] = TRUE;
+
+If you use the :doc:`form helper <../helpers/form_helper>` the
+form_open() function will automatically insert a hidden csrf field in
+your forms.
+
+Select URIs can be whitelisted from csrf protection (for example API
+endpoints expecting externally POSTed content). You can add these URIs
+by editing the 'csrf_exclude_uris' config parameter::
+
+ $config['csrf_exclude_uris'] = array('api/person/add');
+