CodeIgniter v3.0.0 API
\

\CI_Security

Security Class

Summary

Methods
Properties
Constants
__construct()
csrf_verify()
csrf_set_cookie()
csrf_show_error()
get_csrf_hash()
get_csrf_token_name()
xss_clean()
xss_hash()
get_random_bytes()
entity_decode()
sanitize_filename()
strip_image_tags()
$filename_bad_chars
$charset
No constants found
_urldecodespaces()
_compact_exploded_words()
_sanitize_naughty_html()
_js_link_removal()
_js_img_removal()
_convert_attribute()
_filter_attributes()
_decode_entity()
_do_never_allowed()
_csrf_set_hash()
$_xss_hash
$_csrf_hash
$_csrf_expire
$_csrf_token_name
$_csrf_cookie_name
$_never_allowed_str
$_never_allowed_regex
N/A
No private methods found
No private properties found
N/A

Properties

$filename_bad_chars

$filename_bad_chars : array

List of sanitize filename strings

Type

array

$charset

$charset : string

Character set

Will be overridden by the constructor.

Type

string

$_xss_hash

$_xss_hash : string

XSS Hash

Random Hash for protecting URLs.

Type

string

$_csrf_hash

$_csrf_hash : string

CSRF Hash

Random hash for Cross Site Request Forgery protection cookie

Type

string

$_csrf_expire

$_csrf_expire : integer

CSRF Expire time

Expiration time for Cross Site Request Forgery protection cookie. Defaults to two hours (in seconds).

Type

integer

$_csrf_token_name

$_csrf_token_name : string

CSRF Token name

Token name for Cross Site Request Forgery protection cookie.

Type

string

$_csrf_cookie_name

$_csrf_cookie_name : string

CSRF Cookie name

Cookie name for Cross Site Request Forgery protection cookie.

Type

string

$_never_allowed_str

$_never_allowed_str : array

List of never allowed strings

Type

array

$_never_allowed_regex

$_never_allowed_regex : array

List of never allowed regex replacements

Type

array

Methods

__construct()

__construct(  $charset) : void

Class constructor

Parameters

$charset

csrf_verify()

csrf_verify() : \CI_Security

CSRF Verify

Returns

\CI_Security

csrf_set_cookie()

csrf_set_cookie() : \CI_Security

CSRF Set Cookie

Returns

\CI_Security

csrf_show_error()

csrf_show_error() : void

Show CSRF Error

get_csrf_hash()

get_csrf_hash() : string

Get CSRF Hash

Returns

string —

CSRF hash

get_csrf_token_name()

get_csrf_token_name() : string

Get CSRF Token Name

Returns

string —

CSRF token name

xss_clean()

xss_clean(string|array<mixed,string>  $str, boolean  $is_image = FALSE) : string

XSS Clean

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This method does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: Should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

Parameters

string|array<mixed,string> $str

Input data
boolean $is_image

Whether the input is an image

Returns

string

xss_hash()

xss_hash() : string

XSS Hash

Generates the XSS hash if needed and returns it.

Returns

string —

XSS hash

get_random_bytes()

get_random_bytes(integer  $length) : string

Get random bytes

Parameters

integer $length

Output length

Returns

string

entity_decode()

entity_decode(string  $str, string  $charset = NULL) : string

HTML Entities Decode

A replacement for html_entity_decode()

The reason we are not using html_entity_decode() by itself is because while it is not technically correct to leave out the semicolon at the end of an entity most browsers will still interpret the entity correctly. html_entity_decode() does not convert entities without semicolons, so we are left with our own little solution here. Bummer.

Parameters

string $str

Input
string $charset

Character set

Returns

string

sanitize_filename()

sanitize_filename(string  $str, boolean  $relative_path = FALSE) : string

Sanitize Filename

Parameters

string $str

Input file name
boolean $relative_path

Whether to preserve paths

Returns

string

strip_image_tags()

strip_image_tags(string  $str) : string

Strip Image Tags

Parameters

string $str

Returns

string

_urldecodespaces()

_urldecodespaces(array  $matches) : string

URL-decode taking spaces into account

Parameters

array $matches

Returns

string

_compact_exploded_words()

_compact_exploded_words(array  $matches) : string

Compact Exploded Words

Callback method for xss_clean() to remove whitespace from things like 'j a v a s c r i p t'.

Parameters

array $matches

Returns

string

_sanitize_naughty_html()

_sanitize_naughty_html(array  $matches) : string

Sanitize Naughty HTML

Callback method for xss_clean() to remove naughty HTML elements.

Parameters

array $matches

Returns

string

_js_link_removal()

_js_link_removal(array  $match) : string

JS Link Removal

Callback method for xss_clean() to sanitize links.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on link-heavy strings.

Parameters

array $match

Returns

string

_js_img_removal()

_js_img_removal(array  $match) : string

JS Image Removal

Callback method for xss_clean() to sanitize image tags.

This limits the PCRE backtracks, making it more performance friendly and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in PHP 5.2+ on image tag heavy strings.

Parameters

array $match

Returns

string

_convert_attribute()

_convert_attribute(array  $match) : string

Attribute Conversion

Parameters

array $match

Returns

string

_filter_attributes()

_filter_attributes(string  $str) : string

Filter Attributes

Filters tag attributes for consistency and safety.

Parameters

string $str

Returns

string

_decode_entity()

_decode_entity(array  $match) : string

HTML Entity Decode Callback

Parameters

array $match

Returns

string

_do_never_allowed()

_do_never_allowed(  $str) : string

Do Never Allowed

Parameters

$str

Returns

string

_csrf_set_hash()

_csrf_set_hash() : string

Set CSRF Hash and Cookie

Returns

string