From 9898b892baed8d20f4138cb88c4f4ca3a082e444 Mon Sep 17 00:00:00 2001
From: Derek Jones
Date: Wed, 10 Mar 2010 14:04:17 -0600
Subject: added Security class docs, cleaned up Input class for changes to both
---
user_guide/changelog.html | 1 +
user_guide/general/security.html | 2 +-
user_guide/helpers/cookie_helper.html | 44 +-----------
user_guide/libraries/input.html | 81 ++++++++++++++--------
user_guide/libraries/security.html | 123 ++++++++++++++++++++++++++++++++++
user_guide/libraries/sessions.html | 2 +-
user_guide/nav/nav.js | 1 +
user_guide/toc.html | 1 +
8 files changed, 182 insertions(+), 73 deletions(-)
create mode 100644 user_guide/libraries/security.html
(limited to 'user_guide')
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 8dcc9060f..eb5cf93cd 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -72,6 +72,7 @@ Hg Tag:
Libraries
+
Added Security library, which now contains the xss_clean function, filename_security function and other security related functions.
Added $parse_exec_vars property to Output library.
Added ability to enable / disable individual sections of the Profiler
Added "is_object" into the list of unit tests capable of being run.
diff --git a/user_guide/general/security.html b/user_guide/general/security.html
index 593ffd584..bc969f73a 100644
--- a/user_guide/general/security.html
+++ b/user_guide/general/security.html
@@ -112,7 +112,7 @@ XML-RPC data, or even data from the SERVER array, you are encouraged to practice
CodeIgniter comes with a Cross Site Scripting filter. This filter looks for commonly
used techniques to embed malicious Javascript into your data, or other types of code that attempt to hijack cookies
-or do other malicious things. The XSS Filter is described here.
+or do other malicious things. The XSS Filter is described here.
Sets a cookie containing the values you specify. There are two ways to pass information to this function so that a cookie can be set:
-Array Method, and Discrete Parameters:
-
-
Array Method
-
-
Using this method, an associative array is passed to the first parameter:
Only the name and value are required. To delete a cookie set it with the expiration blank.
-
-
The expiration is set in seconds, which will be added to the current time. Do not include the time, but rather only the
-number of seconds from now that you wish the cookie to be valid. If the expiration is set to
-zero the cookie will only last as long as the browser is open.
-
For site-wide cookies regardless of how your site is requested, add your URL to the domain starting with a period, like this: .your-domain.com
-
The path is usually not needed since the function sets a root path.
-
The prefix is only needed if you need to avoid name collisions with other identically named cookies for your server.
-
-
Discrete Parameters
-
-
If you prefer, you can set the cookie by passing data using individual parameters:
This helper function gives you view file friendly syntax to set browser cookies. Refer to the Input class for a description of use, as this function is an alias to $this->input->set_cookie().
get_cookie()
-
Lets you fetch a cookie. The first parameter will contain the name of the cookie you are looking for (including any prefixes):
-
-get_cookie('some_cookie');
-
-
The function returns FALSE (boolean) if the item you are attempting to retrieve does not exist.
+
This helper function gives you view file friendly syntax to get browser cookies. Refer to the Input class for a description of use, as this function is an alias to $this->input->cookie().
-
The second optional parameter lets you run the data through the XSS filter. It's enabled by setting the second parameter to boolean TRUE;
-
get_cookie('some_cookie', TRUE);
delete_cookie()
Lets you delete a cookie. Unless you've set a custom path or other values, only the name of the cookie is needed:
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter
-all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not
-run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
-
-
The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies
-or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.
-
-
-Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
-
-
-
To filter data through the XSS filter use this function:
-
-
$this->input->xss_clean()
-
-
Here is an usage example:
-
-$data = $this->input->xss_clean($data);
-
-
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your
+
The Input class has the ability to filter input automatically to prevent cross-site scripting attacks. If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your
application/config/config.php file and setting this:
$config['global_xss_filtering'] = TRUE;
-
Note: If you use the form validation class, it gives you the option of XSS filtering as well.
-
-
An optional second parameter, is_image, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.
-
-if ($this->input->xss_clean($file, TRUE) === FALSE)
-{
- // file failed the XSS test
-}
+
Please refer to the Security class documentation for information on using XSS Filtering in your application.
Sets a cookie containing the values you specify. There are two ways to pass information to this function so that a cookie can be set:
+Array Method, and Discrete Parameters:
+
+
Array Method
+
+
Using this method, an associative array is passed to the first parameter:
Only the name and value are required. To delete a cookie set it with the expiration blank.
+
+
The expiration is set in seconds, which will be added to the current time. Do not include the time, but rather only the
+number of seconds from now that you wish the cookie to be valid. If the expiration is set to
+zero the cookie will only last as long as the browser is open.
+
For site-wide cookies regardless of how your site is requested, add your URL to the domain starting with a period, like this: .your-domain.com
+
The path is usually not needed since the function sets a root path.
+
The prefix is only needed if you need to avoid name collisions with other identically named cookies for your server.
+
+
Discrete Parameters
+
+
If you prefer, you can set the cookie by passing data using individual parameters:
The Security Class contains methods that help you create a secure application, processing input data for security.
+
+
XSS Filtering
+
+
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter
+all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not
+run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
+
+
The XSS filter looks for commonly used techniques to trigger Javascript or other types of code that attempt to hijack cookies
+or do other malicious things. If anything disallowed is encountered it is rendered safe by converting the data to character entities.
+
+
+Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
+
+
+
To filter data through the XSS filter use this function:
+
+
$this->security->xss_clean()
+
+
Here is an usage example:
+
+$data = $this->security->xss_clean($data);
+
+
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your
+application/config/config.php file and setting this:
+
+$config['global_xss_filtering'] = TRUE;
+
+
Note: If you use the form validation class, it gives you the option of XSS filtering as well.
+
+
An optional second parameter, is_image, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.
+
+if ($this->security->xss_clean($file, TRUE) === FALSE)
+{
+ // file failed the XSS test
+}
+
+
+
$this->security->sanitize_filename()
+
+
When accepting filenames from user input, it is best to sanitize them to prevent directory traversal and other security related issues. To do so, use the sanitize_filename() method of the Security class. Here is an example:
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/user_guide/libraries/sessions.html b/user_guide/libraries/sessions.html
index 059f6fbc6..31b4047e5 100644
--- a/user_guide/libraries/sessions.html
+++ b/user_guide/libraries/sessions.html
@@ -298,7 +298,7 @@ do not need to write your own routine to do it.