commit 53437de1f94dd4c0ab270f0c6d2309344d323d9e
author Derek Jones <derek.jones@ellislab.com> Mon May 12 18:07:08 2008 +0000
committer Derek Jones <derek.jones@ellislab.com> Mon May 12 18:07:08 2008 +0000
tree fc4086b69bfbb42e7da03082a327f7a533db0954
parent a632589001aa9ec769f9a80871097ce3a09b74d1

Added protection in xss_clean() for GET variables in URLs

http://codeigniter.com/bug_tracker/bug/4167/

system/libraries/Input.php

diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index ee7e9ad..9b012d3 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -28,6 +28,7 @@
  */

 class CI_Input {

 	var $use_xss_clean		= FALSE;

+	var $xss_hash			= '';

 	var $ip_address			= FALSE;

 	var $user_agent			= FALSE;

 	var $allow_get_array	= FALSE;

@@ -530,7 +531,21 @@
 	 * @return	string

 	 */

 	function xss_clean($str)

-	{	

+	{

+		/*

+		 * Is the string an array?

+		 *

+		 */

+		if (is_array($str))

+		{

+			while (list($key) = each($str))

+			{

+				$str[$key] = $this->xss_clean($str[$key]);

+			}

+			

+			return $str;

+		}

+		

 		/*

 		 * Remove Null Characters

 		 *

@@ -542,6 +557,14 @@
 		$str = preg_replace('/(\\\\0)+/', '', $str);

 

 		/*

+		 * Protect GET variables in URLs

+		 */

+		 

+		 // 901119URL5918AMP18930PROTECT8198

+		 

+		$str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);

+

+		/*

 		 * Validate standard character entities

 		 *

 		 * Add a semicolon if missing.  We do this to enable

@@ -559,6 +582,12 @@
 		$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);

 

 		/*

+		 * Un-Protect GET variables in URLs

+		 */

+		 

+		$str = str_replace($this->xss_hash(), '&', $str);

+		

+		/*

 		 * URL Decode

 		 *

 		 * Just in case stuff like this is submitted:

@@ -797,6 +826,29 @@
 	// --------------------------------------------------------------------

 	

 	/**

+	 * Random Hash for protecting URLs

+	 *

+	 * @access	public

+	 * @return	string

+	 */

+	function xss_hash()

+	{	

+		if ($this->xss_hash == '')

+		{

+			if (phpversion() >= 4.2)

+				mt_srand();

+			else

+				mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);

+			

+			$this->xss_hash = md5(time() + mt_rand(0, 1999999999));

+		}

+		

+		return $this->xss_hash;

+	}

+

+	// --------------------------------------------------------------------

+	

+	/**

 	 * JS Link Removal

 	 *

 	 * Callback function for xss_clean() to sanitize links

@@ -923,6 +975,6 @@
 

 }

 // END Input class

-
-/* End of file Input.php */
+

+/* End of file Input.php */

 /* Location: ./system/libraries/Input.php */
\ No newline at end of file