diff options
-rw-r--r-- | system/libraries/Input.php | 58 | ||||
-rw-r--r-- | user_guide/changelog.html | 2 |
2 files changed, 57 insertions, 3 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index ee7e9ad31..9b012d320 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -28,6 +28,7 @@ */
class CI_Input {
var $use_xss_clean = FALSE;
+ var $xss_hash = '';
var $ip_address = FALSE;
var $user_agent = FALSE;
var $allow_get_array = FALSE;
@@ -530,7 +531,21 @@ class CI_Input { * @return string
*/
function xss_clean($str)
- {
+ {
+ /*
+ * Is the string an array?
+ *
+ */
+ if (is_array($str))
+ {
+ while (list($key) = each($str))
+ {
+ $str[$key] = $this->xss_clean($str[$key]);
+ }
+
+ return $str;
+ }
+
/*
* Remove Null Characters
*
@@ -542,6 +557,14 @@ class CI_Input { $str = preg_replace('/(\\\\0)+/', '', $str);
/*
+ * Protect GET variables in URLs
+ */
+
+ // 901119URL5918AMP18930PROTECT8198
+
+ $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);
+
+ /*
* Validate standard character entities
*
* Add a semicolon if missing. We do this to enable
@@ -559,6 +582,12 @@ class CI_Input { $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);
/*
+ * Un-Protect GET variables in URLs
+ */
+
+ $str = str_replace($this->xss_hash(), '&', $str);
+
+ /*
* URL Decode
*
* Just in case stuff like this is submitted:
@@ -797,6 +826,29 @@ class CI_Input { // --------------------------------------------------------------------
/**
+ * Random Hash for protecting URLs
+ *
+ * @access public
+ * @return string
+ */
+ function xss_hash()
+ {
+ if ($this->xss_hash == '')
+ {
+ if (phpversion() >= 4.2)
+ mt_srand();
+ else
+ mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);
+
+ $this->xss_hash = md5(time() + mt_rand(0, 1999999999));
+ }
+
+ return $this->xss_hash;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
* JS Link Removal
*
* Callback function for xss_clean() to sanitize links
@@ -923,6 +975,6 @@ class CI_Input { }
// END Input class
- -/* End of file Input.php */ +
+/* End of file Input.php */
/* Location: ./system/libraries/Input.php */
\ No newline at end of file diff --git a/user_guide/changelog.html b/user_guide/changelog.html index de579f1ac..c7e48d855 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -109,6 +109,7 @@ SVN Commit: not currently released</p> <li>Other
Changes
<ul>
+ <li>Added ability for <a href="libraries/input.html">xss_clean()</a> to accept arrays.</li>
<li>Removed closing PHP tags from all PHP files to avoid accidental output and potential 'cannot modify headers' errors.</li>
<li>Added a <a href="general/reserved_names.html">Reserved Names</a> page to the userguide, and migrated reserved controller names into it.</li>
<li>Added a <a href="general/common_functions.html">Common Functions</a> page to the userguide for globally available functions.</li>
@@ -128,6 +129,7 @@ SVN Commit: not currently released</p> <li>Fixed an AR_caching error where it wasn't tracking table aliases (#3463).</li>
<li>Fixed a bug in AR compiling, where select statements with arguments got incorrectly escaped (#3478).</li>
<li>Fixed an AR bug with or_where_not_in() (#4171).</li>
+ <li>Fixed a bug with <a href="libraries/input.html">xss_clean()</a> that would add semicolons to GET URI variable strings.</li>
<li>Fixed a bug in the FTP library where delete_dir() was not working recursively (#4215).</li>
<li>Fixed a Validation bug when set_rules() is used with a non-array field name and rule (#4220).</li>
<li>Fixed a bug in the Upload library that might output the same error twice (#4390).</li>
|