From 63fc5fe5c6d8c9c8a2d693b0f65c3c8af8f2a74f Mon Sep 17 00:00:00 2001
From: Derek Jones
Date: Thu, 15 May 2008 20:13:14 +0000
Subject: added ability to use xss_clean() to test images, and improved
security for vectors particular to the Opera family of browsers
---
user_guide/changelog.html | 6 ++++++
user_guide/libraries/input.html | 5 +++++
2 files changed, 11 insertions(+)
(limited to 'user_guide')
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 28eb39d3b..e15cfc4f2 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -71,6 +71,12 @@ SVN Revision: not currently released
Set the mime type check in the Upload class to reference the global mimes variable.
+ Other changes
+
+ - Added ability to use xss_clean() to test images for XSS, useful for upload security.
+ - Improved security in xss_clean() for the Opera family of browsers.
+
+
diff --git a/user_guide/libraries/input.html b/user_guide/libraries/input.html
index 17ed7f0ff..c95ebbd98 100644
--- a/user_guide/libraries/input.html
+++ b/user_guide/libraries/input.html
@@ -109,7 +109,12 @@ Note: This function should only be used to deal with data upon submission. It's
Note: If you use the form validation class, it gives you the option of XSS filtering as well.
+An optional second parameter, is_image, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.
+if ($this->input->xss_clean($file, TRUE) === FALSE)
+{
+ // file failed the XSS test
+}
Using POST, COOKIE, or SERVER Data
--
cgit v1.2.3-24-g4f1b