Blame - system/libraries/Input.php - code-igniter-v3-giggi

blob: 8c08468bd4e59477a2b17584c6163523046a40d9 [file] [log] [blame]

Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	1	<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	2	/**
Derek Allard	d2df9bc	2007-04-15 17:41:17 +0000	[diff] [blame]	3	* CodeIgniter
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	4	*
				5	* An open source application development framework for PHP 4.3.2 or newer
				6	*
				7	* @package CodeIgniter
Derek Allard	3d879d5	2008-01-18 19:41:32 +0000	[diff] [blame]	8	* @author ExpressionEngine Dev Team
Derek Allard	d2df9bc	2007-04-15 17:41:17 +0000	[diff] [blame]	9	* @copyright Copyright (c) 2006, EllisLab, Inc.
Derek Jones	7a9193a	2008-01-21 18:39:20 +0000	[diff] [blame]	10	* @license http://codeigniter.com/user_guide/license.html
				11	* @link http://codeigniter.com
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	12	* @since Version 1.0
				13	* @filesource
				14	*/
				15
				16	// ------------------------------------------------------------------------
				17
				18	/**
				19	* Input Class
				20	*
				21	* Pre-processes global input data for security
				22	*
				23	* @package CodeIgniter
				24	* @subpackage Libraries
				25	* @category Input
Derek Allard	3d879d5	2008-01-18 19:41:32 +0000	[diff] [blame]	26	* @author ExpressionEngine Dev Team
Derek Jones	7a9193a	2008-01-21 18:39:20 +0000	[diff] [blame]	27	* @link http://codeigniter.com/user_guide/libraries/input.html
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	28	*/
				29	class CI_Input {
				30	var $use_xss_clean = FALSE;
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	31	var $xss_hash = '';
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	32	var $ip_address = FALSE;
				33	var $user_agent = FALSE;
				34	var $allow_get_array = FALSE;
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	35
				36	/* never allowed, string replacement */
				37	var $never_allowed_str = array(
				38	'document.cookie' => '[removed]',
				39	'document.write' => '[removed]',
				40	'.parentNode' => '[removed]',
				41	'.innerHTML' => '[removed]',
				42	'window.location' => '[removed]',
				43	'-moz-binding' => '[removed]',
				44	'<!--' => '<!--',
				45	'-->' => '-->',
				46	'<![CDATA[' => '<![CDATA['
				47	);
				48	/* never allowed, regex replacement */
				49	var $never_allowed_regex = array(
				50	"javascript\s*:" => '[removed]',
				51	"expression\s*\(" => '[removed]', // CSS and IE
				52	"Redirect\s+302" => '[removed]'
				53	);
				54
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	55	/**
				56	* Constructor
				57	*
				58	* Sets whether to globally enable the XSS processing
				59	* and whether to allow the $_GET array
				60	*
				61	* @access public
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	62	*/
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	63	function CI_Input()
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	64	{
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	65	log_message('debug', "Input Class Initialized");
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	66
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	67	$CFG =& load_class('Config');
				68	$this->use_xss_clean = ($CFG->item('global_xss_filtering') === TRUE) ? TRUE : FALSE;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	69	$this->allow_get_array = ($CFG->item('enable_query_strings') === TRUE) ? TRUE : FALSE;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	70	$this->_sanitize_globals();
				71	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	72
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	73	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	74
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	75	/**
				76	* Sanitize Globals
				77	*
				78	* This function does the following:
				79	*
				80	* Unsets $_GET data (if query strings are not enabled)
				81	*
				82	* Unsets all globals if register_globals is enabled
				83	*
				84	* Standardizes newline characters to \n
				85	*
				86	* @access private
				87	* @return void
				88	*/
				89	function _sanitize_globals()
				90	{
Derek Jones	d85a11e	2008-01-24 20:48:07 +0000	[diff] [blame]	91	// Would kind of be "wrong" to unset any of these GLOBALS
				92	$protected = array('_SERVER', '_GET', '_POST', '_FILES', '_REQUEST', '_SESSION', '_ENV', 'GLOBALS', 'HTTP_RAW_POST_DATA',
				93	'system_folder', 'application_folder', 'BM', 'EXT', 'CFG', 'URI', 'RTR', 'OUT', 'IN');
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	94
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	95	// Unset globals for security.
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	96	// This is effectively the same as register_globals = off
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	97	foreach (array($_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, (isset($_SESSION) && is_array($_SESSION)) ? $_SESSION : array()) as $global)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	98	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	99	if ( ! is_array($global))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	100	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	101	if ( ! in_array($global, $protected))
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	102	{
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	103	unset($GLOBALS[$global]);
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	104	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	105	}
				106	else
				107	{
				108	foreach ($global as $key => $val)
				109	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	110	if ( ! in_array($key, $protected))
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	111	{
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	112	unset($GLOBALS[$key]);
				113	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	114
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	115	if (is_array($val))
				116	{
				117	foreach($val as $k => $v)
				118	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	119	if ( ! in_array($k, $protected))
Derek Jones	0ea06fd	2008-02-05 15:23:51 +0000	[diff] [blame]	120	{
				121	unset($GLOBALS[$k]);
				122	}
				123	}
paulburdick	8816aaa	2007-06-27 23:07:36 +0000	[diff] [blame]	124	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	125	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	126	}
				127	}
				128
				129	// Is $_GET data allowed? If not we'll set the $_GET to an empty array
				130	if ($this->allow_get_array == FALSE)
				131	{
				132	$_GET = array();
				133	}
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	134	else
				135	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	136	$_GET = $this->_clean_input_data($_GET);
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	137	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	138
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	139	// Clean $_POST Data
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	140	$_POST = $this->_clean_input_data($_POST);
				141
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	142	// Clean $_COOKIE Data
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	143	$_COOKIE = $this->_clean_input_data($_COOKIE);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	144
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	145	log_message('debug', "Global POST and COOKIE data sanitized");
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	146	}
				147
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	148	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	149
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	150	/**
				151	* Clean Input Data
				152	*
				153	* This is a helper function. It escapes data and
				154	* standardizes newline characters to \n
				155	*
				156	* @access private
				157	* @param string
				158	* @return string
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	159	*/
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	160	function _clean_input_data($str)
				161	{
				162	if (is_array($str))
				163	{
				164	$new_array = array();
				165	foreach ($str as $key => $val)
				166	{
				167	$new_array[$this->_clean_input_keys($key)] = $this->_clean_input_data($val);
				168	}
				169	return $new_array;
				170	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	171
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	172	// We strip slashes if magic quotes is on to keep things consistent
				173	if (get_magic_quotes_gpc())
				174	{
				175	$str = stripslashes($str);
				176	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	177
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	178	// Should we filter the input data?
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	179	if ($this->use_xss_clean === TRUE)
				180	{
				181	$str = $this->xss_clean($str);
				182	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	183
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	184	// Standardize newlines
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	185	if (strpos($str, "\r") !== FALSE)
				186	{
				187	$str = str_replace(array("\r\n", "\r"), "\n", $str);
				188	}
				189
				190	return $str;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	191	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	192
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	193	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	194
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	195	/**
				196	* Clean Keys
				197	*
				198	* This is a helper function. To prevent malicious users
				199	* from trying to exploit keys we make sure that keys are
				200	* only named with alpha-numeric text and a few other items.
				201	*
				202	* @access private
				203	* @param string
				204	* @return string
				205	*/
				206	function _clean_input_keys($str)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	207	{
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	208	if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	209	{
				210	exit('Disallowed Key Characters.');
				211	}
Rick Ellis	bb2041d	2007-06-09 00:16:13 +0000	[diff] [blame]	212
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	213	return $str;
				214	}
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	215
				216	// --------------------------------------------------------------------
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	217
				218	/**
				219	* Fetch from array
				220	*
				221	* This is a helper function to retrieve values from global arrays
				222	*
				223	* @access private
				224	* @param array
				225	* @param string
				226	* @param bool
				227	* @return string
				228	*/
				229	function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE)
				230	{
				231	if ( ! isset($array[$index]))
				232	{
				233	return FALSE;
				234	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	235
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	236	if ($xss_clean === TRUE)
				237	{
				238	return $this->xss_clean($array[$index]);
				239	}
				240
				241	return $array[$index];
				242	}
				243
				244	// --------------------------------------------------------------------
				245
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	246	/**
				247	* Fetch an item from the GET array
				248	*
				249	* @access public
				250	* @param string
				251	* @param bool
				252	* @return string
				253	*/
Derek Allard	87d1eeb	2007-03-01 13:20:43 +0000	[diff] [blame]	254	function get($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	255	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	256	return $this->_fetch_from_array($_GET, $index, $xss_clean);
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	257	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	258
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	259	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	260
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	261	/**
				262	* Fetch an item from the POST array
				263	*
				264	* @access public
				265	* @param string
				266	* @param bool
				267	* @return string
				268	*/
				269	function post($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	270	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	271	return $this->_fetch_from_array($_POST, $index, $xss_clean);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	272	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	273
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	274	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	275
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	276	/**
				277	* Fetch an item from the COOKIE array
				278	*
				279	* @access public
				280	* @param string
				281	* @param bool
				282	* @return string
				283	*/
				284	function cookie($index = '', $xss_clean = FALSE)
				285	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	286	return $this->_fetch_from_array($_COOKIE, $index, $xss_clean);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	287	}
				288
				289	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	290
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	291	/**
				292	* Fetch an item from the SERVER array
				293	*
				294	* @access public
				295	* @param string
				296	* @param bool
				297	* @return string
				298	*/
				299	function server($index = '', $xss_clean = FALSE)
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	300	{
Derek Jones	144cb5b	2008-06-04 19:38:00 +0000	[diff] [blame]	301	return $this->_fetch_from_array($_SERVER, $index, $xss_clean);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	302	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	303
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	304	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	305
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	306	/**
				307	* Fetch the IP Address
				308	*
				309	* @access public
				310	* @return string
				311	*/
				312	function ip_address()
				313	{
				314	if ($this->ip_address !== FALSE)
				315	{
				316	return $this->ip_address;
				317	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	318
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	319	if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP'))
				320	{
				321	$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
				322	}
				323	elseif ($this->server('REMOTE_ADDR'))
				324	{
				325	$this->ip_address = $_SERVER['REMOTE_ADDR'];
				326	}
				327	elseif ($this->server('HTTP_CLIENT_IP'))
				328	{
				329	$this->ip_address = $_SERVER['HTTP_CLIENT_IP'];
				330	}
				331	elseif ($this->server('HTTP_X_FORWARDED_FOR'))
				332	{
				333	$this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR'];
				334	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	335
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	336	if ($this->ip_address === FALSE)
				337	{
				338	$this->ip_address = '0.0.0.0';
				339	return $this->ip_address;
				340	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	341
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	342	if (strstr($this->ip_address, ','))
				343	{
				344	$x = explode(',', $this->ip_address);
				345	$this->ip_address = end($x);
				346	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	347
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	348	if ( ! $this->valid_ip($this->ip_address))
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	349	{
				350	$this->ip_address = '0.0.0.0';
				351	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	352
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	353	return $this->ip_address;
				354	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	355
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	356	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	357
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	358	/**
				359	* Validate IP Address
				360	*
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	361	* Updated version suggested by Geert De Deckere
				362	*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	363	* @access public
				364	* @param string
				365	* @return string
				366	*/
				367	function valid_ip($ip)
				368	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	369	$ip_segments = explode('.', $ip);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	370
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	371	// Always 4 segments needed
				372	if (count($ip_segments) != 4)
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	373	{
				374	return FALSE;
				375	}
Rick Ellis	65e8f0e	2007-06-12 03:53:21 +0000	[diff] [blame]	376	// IP can not start with 0
Rick Ellis	3921314	2007-06-12 03:53:12 +0000	[diff] [blame]	377	if (substr($ip_segments[0], 0, 1) == '0')
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	378	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	379	return FALSE;
				380	}
				381	// Check each segment
				382	foreach ($ip_segments as $segment)
				383	{
				384	// IP segments must be digits and can not be
				385	// longer than 3 digits or greater then 255
Rick Ellis	ba64893	2007-06-12 03:39:38 +0000	[diff] [blame]	386	if (preg_match("/[^0-9]/", $segment) OR $segment > 255 OR strlen($segment) > 3)
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	387	{
Rick Ellis	e666afc	2007-06-11 05:03:11 +0000	[diff] [blame]	388	return FALSE;
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	389	}
				390	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	391
Rick Ellis	112569d	2007-02-26 19:19:08 +0000	[diff] [blame]	392	return TRUE;
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	393	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	394
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	395	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	396
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	397	/**
				398	* User Agent
				399	*
				400	* @access public
				401	* @return string
				402	*/
				403	function user_agent()
				404	{
				405	if ($this->user_agent !== FALSE)
				406	{
				407	return $this->user_agent;
				408	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	409
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	410	$this->user_agent = ( ! isset($_SERVER['HTTP_USER_AGENT'])) ? FALSE : $_SERVER['HTTP_USER_AGENT'];
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	411
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	412	return $this->user_agent;
				413	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	414
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	415	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	416
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	417	/**
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	418	* Filename Security
				419	*
				420	* @access public
				421	* @param string
				422	* @return string
				423	*/
				424	function filename_security($str)
				425	{
				426	$bad = array(
				427	"../",
				428	"./",
				429	"<!--",
				430	"-->",
				431	"<",
				432	">",
				433	"'",
				434	'"',
				435	'&',
				436	'$',
				437	'#',
				438	'{',
				439	'}',
				440	'[',
				441	']',
				442	'=',
				443	';',
				444	'?',
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	445	"%20",
				446	"%22",
				447	"%3c", // <
				448	"%253c", // <
				449	"%3e", // >
				450	"%0e", // >
				451	"%28", // (
				452	"%29", // )
				453	"%2528", // (
				454	"%26", // &
				455	"%24", // $
				456	"%3f", // ?
				457	"%3b", // ;
				458	"%3d" // =
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	459	);
				460
				461	return stripslashes(str_replace($bad, '', $str));
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	462	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	463
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	464	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	465
paulburdick	763064b	2007-06-27 23:25:55 +0000	[diff] [blame]	466	/**
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	467	* XSS Clean
				468	*
				469	* Sanitizes data so that Cross Site Scripting Hacks can be
				470	* prevented. This function does a fair amount of work but
				471	* it is extremely thorough, designed to prevent even the
				472	* most obscure XSS attempts. Nothing is ever 100% foolproof,
				473	* of course, but I haven't been able to get anything passed
				474	* the filter.
				475	*
				476	* Note: This function should only be used to deal with data
				477	* upon submission. It's not something that should
				478	* be used for general runtime processing.
				479	*
				480	* This function was based in part on some code and ideas I
				481	* got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention
				482	*
				483	* To help develop this script I used this great list of
				484	* vulnerabilities along with a few other hacks I've
				485	* harvested from examining vulnerabilities in other programs:
				486	* http://ha.ckers.org/xss.html
				487	*
				488	* @access public
				489	* @param string
				490	* @return string
				491	*/
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	492	function xss_clean($str, $is_image = FALSE, $loops = 0, $looped_convert = '')
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	493	{
				494	/*
				495	* Is the string an array?
				496	*
				497	*/
				498	if (is_array($str))
				499	{
				500	while (list($key) = each($str))
				501	{
				502	$str[$key] = $this->xss_clean($str[$key]);
				503	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	504
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	505	return $str;
				506	}
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	507
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	508	/*
				509	* Runaway loop prevention. If the text has had to be examined this many times
				510	* I think it's safe to say that it is best to simply ignore it.
				511	*/
				512	if ($loops > 9)
				513	{
				514	return '';
				515	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	516
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	517	/*
				518	* Remove Null Characters
				519	*
				520	* This prevents sandwiching null characters
				521	* between ascii characters, like Java\0script.
				522	*
				523	*/
Derek Allard	c1acb41	2008-06-04 20:58:03 +0000	[diff] [blame]	524	$str = preg_replace(array('/\0+/', '/(\\\\0)+/'), '', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	525
				526	/*
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	527	* Protect GET variables in URLs
				528	*/
				529
				530	// 901119URL5918AMP18930PROTECT8198
				531
				532	$str = preg_replace('\|\&([a-z\_0-9]+)\=([a-z\_0-9]+)\|i', $this->xss_hash()."\\1=\\2", $str);
				533
				534	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	535	* Validate standard character entities
				536	*
				537	* Add a semicolon if missing. We do this to enable
				538	* the conversion of entities to ASCII later.
				539	*
				540	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	541	$str = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	542
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	543	/*
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	544	* Validate UTF16 two byte encoding (x00)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	545	*
				546	* Just as above, adds a semicolon if missing.
				547	*
				548	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	549	$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	550
				551	/*
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	552	* Un-Protect GET variables in URLs
				553	*/
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	554	$str = str_replace($this->xss_hash(), '&', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	555
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	556	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	557	* URL Decode
				558	*
				559	* Just in case stuff like this is submitted:
				560	*
				561	* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
				562	*
Derek Jones	ab32a42	2008-02-04 22:02:11 +0000	[diff] [blame]	563	* Note: Use rawurldecode() so it does not remove plus signs
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	564	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	565	*/
Derek Jones	ab32a42	2008-02-04 22:02:11 +0000	[diff] [blame]	566	$str = rawurldecode($str);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	567
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	568	/*
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	569	* Convert character entities to ASCII
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	570	*
				571	* This permits our tests below to work reliably.
				572	* We only convert entities that are within tags since
				573	* these are the ones that will pose security problems.
				574	*
				575	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	576
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	577	$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
				578
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	579	$str = preg_replace_callback("/<\w+.*?(?=>\|<\|$)/si", array($this, '_html_entity_decode_callback'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	580
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	581	/*
				582	* Convert all tabs to spaces
				583	*
				584	* This prevents strings like this: ja vascript
				585	* NOTE: we deal with spaces between characters later.
				586	* NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
				587	* so we use str_replace.
				588	*
				589	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	590
Derek Jones	0b59f27	2008-05-13 04:22:33 +0000	[diff] [blame]	591	if (strpos($str, "\t") !== FALSE)
				592	{
				593	$str = str_replace("\t", ' ', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	594	}
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	595
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	596	/*
				597	* Check and set converted string
				598	*/
				599	if ($looped_convert != '' && $looped_convert == $str)
				600	{
				601	// if we are in a loop, and the converted string is the same as the last pass,
				602	// then this is going to repeat until we hit the runaway loop prevention,
				603	// so we might as well stop now.
				604	return '';
				605	}
				606	else
				607	{
				608	$converted_string = $str;
				609	}
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	610
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	611	/*
				612	* Not Allowed Under Any Conditions
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	613	*/
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	614
				615	foreach ($this->never_allowed_str as $key => $val)
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	616	{
				617	$str = str_replace($key, $val, $str);
				618	}
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	619
				620	foreach ($this->never_allowed_regex as $key => $val)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	621	{
				622	$str = preg_replace("#".$key."#i", $val, $str);
				623	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	624
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	625	/*
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	626	* Makes PHP tags safe
				627	*
				628	* Note: XML tags are inadvertently replaced too:
				629	*
				630	* <?xml
				631	*
				632	* But it doesn't seem to pose a problem.
				633	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	634	*/
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	635	$str = str_replace(array('<?php', '<?PHP', '<?', '?'.'>'), array('<?php', '<?PHP', '<?', '?>'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	636
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	637	/*
				638	* Compact any exploded words
				639	*
				640	* This corrects words like: j a v a s c r i p t
				641	* These words are compacted back to their correct state.
				642	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	643	*/
paulburdick	b614d39	2007-06-26 21:58:56 +0000	[diff] [blame]	644	$words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	645	foreach ($words as $word)
				646	{
				647	$temp = '';
Derek Allard	c1acb41	2008-06-04 20:58:03 +0000	[diff] [blame]	648
Derek Jones	7a3b96e	2008-06-04 21:01:56 +0000	[diff] [blame^]	649	for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	650	{
				651	$temp .= substr($word, $i, 1)."\s*";
				652	}
Derek Jones	9f23e7c	2008-05-30 20:00:11 +0000	[diff] [blame]	653
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	654	// We only want to do this when it is followed by a non-word character
				655	// That way valid stuff like "dealer to" does not become "dealerto"
Derek Jones	9f23e7c	2008-05-30 20:00:11 +0000	[diff] [blame]	656	$str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	657	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	658
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	659	/*
				660	* Remove disallowed Javascript in links or img tags
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	661	* We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared
				662	* to these simplified non-capturing preg_match(), especially if the pattern exists in the string
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	663	*/
				664	do
				665	{
				666	$original = $str;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	667
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	668	if (preg_match("/<a/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	669	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	670	$str = preg_replace_callback("#<a.*(>\|<\|$)#si", array($this, '_js_link_removal'), $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	671	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	672
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	673	if (preg_match("/<img/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	674	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	675	$str = preg_replace_callback("#<img.*(>\|<\|$)#si", array($this, '_js_img_removal'), $str);
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	676	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	677
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	678	if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str))
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	679	{
				680	$str = preg_replace("#</(script\|xss).?\>#si", "", $str);
				681	}
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	682	}
				683	while($original != $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	684
paulburdick	391eb03	2007-06-27 22:58:24 +0000	[diff] [blame]	685	unset($original);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	686
				687	/*
				688	* Remove JavaScript Event Handlers
				689	*
				690	* Note: This code is a little blunt. It removes
				691	* the event handler and anything up to the closing >,
				692	* but it's unlikely to be a problem.
				693	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	694	*/
Derek Jones	c04f0fc	2008-06-04 18:20:18 +0000	[diff] [blame]	695	$event_handlers = array('on\w*','xmlns');
Derek Jones	245038d	2008-05-15 21:58:07 +0000	[diff] [blame]	696
				697	if ($is_image === TRUE)
				698	{
				699	/*
				700	* Adobe Photoshop puts XML metadata into JFIF images, including namespacing,
				701	* so we have to allow this for images. -Paul
				702	*/
				703	unset($event_handlers[array_search('xmlns', $event_handlers)]);
				704	}
				705
Derek Jones	c04f0fc	2008-06-04 18:20:18 +0000	[diff] [blame]	706	$str = preg_replace("#<([^><]+)(".implode('\|', $event_handlers).")(\s=\s[^><])([><])#i", "<\\1\\4", $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	707	/*
				708	* Sanitize naughty HTML elements
				709	*
				710	* If a tag containing any of the words in the list
				711	* below is found, the tag gets converted to entities.
				712	*
				713	* So this: <blink>
				714	* Becomes: <blink>
				715	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	716	*/
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	717	$naughty = 'alert\|applet\|audio\|basefont\|base\|behavior\|bgsound\|blink\|body\|embed\|expression\|form\|frameset\|frame\|head\|html\|ilayer\|iframe\|input\|layer\|link\|meta\|object\|plaintext\|style\|script\|textarea\|title\|video\|xml\|xss';
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	718	$str = preg_replace_callback('#<(/\s)('.$naughty.')([^><])([><])#is', array($this, '_sanitize_naughty_html'), $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	719
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	720	/*
				721	* Sanitize naughty scripting elements
				722	*
				723	* Similar to above, only instead of looking for
				724	* tags it looks for PHP and JavaScript commands
				725	* that are disallowed. Rather than removing the
				726	* code, it simply converts the parenthesis to entities
				727	* rendering the code un-executable.
				728	*
				729	* For example: eval('some code')
				730	* Becomes: eval('some code')
				731	*
				732	*/
paulburdick	033ef02	2007-06-26 21:52:52 +0000	[diff] [blame]	733	$str = preg_replace('#(alert\|cmd\|passthru\|eval\|exec\|expression\|system\|fopen\|fsockopen\|file\|file_get_contents\|readfile\|unlink)(\s)$(.?)$#si', "\\1\\2(\\3)", $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	734
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	735	/*
				736	* Final clean up
				737	*
				738	* This adds a bit of extra precaution in case
				739	* something got through the above filters
				740	*
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	741	*/
Derek Jones	000ab69	2008-05-13 14:46:38 +0000	[diff] [blame]	742	foreach ($this->never_allowed_str as $key => $val)
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	743	{
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	744	$str = str_replace($key, $val, $str);
				745	}
Derek Jones	000ab69	2008-05-13 14:46:38 +0000	[diff] [blame]	746
				747	foreach ($this->never_allowed_regex as $key => $val)
Derek Jones	48bb32a	2007-07-12 13:10:42 +0000	[diff] [blame]	748	{
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	749	$str = preg_replace("#".$key."#i", $val, $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	750	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	751
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	752	/*
				753	* Images are Handled in a Special Way
				754	* - Essentially, we want to know that after all of the character conversion is done whether
				755	* any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean.
				756	* However, if the string post-conversion does not matched the string post-removal of XSS,
				757	* then it fails, as there was unwanted XSS code found and removed/changed during processing.
				758	*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	759
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	760	if ($is_image === TRUE)
				761	{
				762	if ($str == $converted_string)
				763	{
				764	return TRUE;
				765	}
				766	else
				767	{
				768	return FALSE;
				769	}
				770	}
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	771
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	772	/*
				773	* If something changed after character conversion, we can be fairly confident that something
				774	* malicious was removed, so let's take no chances that the attacker is counting on specific
				775	* mutations taking place to allow a new attack to reveal itself. So say we all.
				776	*/
				777	if ($converted_string != $str)
				778	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	779	$str = $this->xss_clean($str, $is_image, ++$loops, $converted_string);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	780	}
				781
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	782	log_message('debug', "XSS Filtering completed");
				783	return $str;
				784	}
				785
				786	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	787
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	788	/**
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	789	* Random Hash for protecting URLs
				790	*
				791	* @access public
				792	* @return string
				793	*/
				794	function xss_hash()
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	795	{
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	796	if ($this->xss_hash == '')
				797	{
				798	if (phpversion() >= 4.2)
				799	mt_srand();
				800	else
				801	mt_srand(hexdec(substr(md5(microtime()), -8)) & 0x7fffffff);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	802
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	803	$this->xss_hash = md5(time() + mt_rand(0, 1999999999));
				804	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	805
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	806	return $this->xss_hash;
				807	}
				808
				809	// --------------------------------------------------------------------
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	810
				811	/**
Derek Jones	9f23e7c	2008-05-30 20:00:11 +0000	[diff] [blame]	812	* Compact Exploded Words
				813	*
				814	* Callback function for xss_clean() to remove whitespace from
				815	* things like j a v a s c r i p t
				816	*
				817	* @access public
				818	* @param type
				819	* @return type
				820	*/
				821	function _compact_exploded_words($matches)
				822	{
				823	return preg_replace('/\s+/s', '', $matches[1]).$matches[2];
				824	}
				825
				826	// --------------------------------------------------------------------
				827
				828	/**
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	829	* Sanitize Naughty HTML
				830	*
				831	* Callback function for xss_clean() to remove naughty HTML elements
				832	*
				833	* @access private
				834	* @param array
				835	* @return string
				836	*/
				837	function _sanitize_naughty_html($matches)
				838	{
				839	// encode opening brace
				840	$str = '<'.$matches[1].$matches[2].$matches[3];
				841
				842	// encode captured opening or closing brace to prevent recursive vectors
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	843	$str .= str_replace(array('>', '<'), array('>', '<'), $matches[4]);
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	844
Derek Jones	e3332b0	2008-05-13 14:44:32 +0000	[diff] [blame]	845	return $str;
				846	}
				847
				848	// --------------------------------------------------------------------
				849
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	850	/**
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	851	* JS Link Removal
				852	*
				853	* Callback function for xss_clean() to sanitize links
				854	* This limits the PCRE backtracks, making it more performance friendly
				855	* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
				856	* PHP 5.2+ on link-heavy strings
				857	*
				858	* @access private
				859	* @param array
				860	* @return string
				861	*/
				862	function _js_link_removal($match)
				863	{
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	864	return preg_replace("#href=.?(alert\(\|alert&\#40;\|javascript\:\|charset\=\|window\.\|document\.\|\.cookie\|<script\|<xss\|base64\s,)#si", "", $match[0]);
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	865	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	866
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	867	/**
				868	* JS Image Removal
				869	*
				870	* Callback function for xss_clean() to sanitize image tags
				871	* This limits the PCRE backtracks, making it more performance friendly
				872	* and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in
				873	* PHP 5.2+ on image tag heavy strings
				874	*
				875	* @access private
				876	* @param array
				877	* @return string
				878	*/
				879	function _js_img_removal($match)
				880	{
Derek Jones	bd08d84	2008-05-20 15:07:27 +0000	[diff] [blame]	881	return preg_replace("#src=.?(alert\(\|alert&\#40;\|javascript\:\|charset\=\|window\.\|document\.\|\.cookie\|<script\|<xss\|base64\s,)#si", "", $match[0]);
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	882	}
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	883
Derek Jones	01f72ca	2007-05-04 18:19:17 +0000	[diff] [blame]	884	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	885
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	886	/**
				887	* Attribute Conversion
				888	*
				889	* Used as a callback for XSS Clean
				890	*
				891	* @access public
				892	* @param array
				893	* @return string
				894	*/
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	895	function _convert_attribute($match)
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	896	{
Derek Jones	908ecc6	2008-05-21 19:53:40 +0000	[diff] [blame]	897	return str_replace(array('>', '<'), array('>', '<'), $match[0]);
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	898	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	899
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	900	// --------------------------------------------------------------------
				901
				902	/**
				903	* HTML Entity Decode Callback
				904	*
				905	* Used as a callback for XSS Clean
				906	*
				907	* @access public
				908	* @param array
				909	* @return string
				910	*/
				911	function _html_entity_decode_callback($match)
				912	{
Derek Jones	6159d1d	2007-07-16 13:04:46 +0000	[diff] [blame]	913	global $CFG;
				914	$charset = $CFG->item('charset');
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	915
				916	return $this->_html_entity_decode($match[0], strtoupper($charset));
				917	}
				918
				919	// --------------------------------------------------------------------
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	920
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	921	/**
				922	* HTML Entities Decode
				923	*
				924	* This function is a replacement for html_entity_decode()
				925	*
				926	* In some versions of PHP the native function does not work
				927	* when UTF-8 is the specified character set, so this gives us
				928	* a work-around. More info here:
				929	* http://bugs.php.net/bug.php?id=25670
				930	*
				931	* @access private
				932	* @param string
				933	* @param string
				934	* @return string
				935	*/
				936	/* -------------------------------------------------
				937	/* Replacement for html_entity_decode()
				938	/* -------------------------------------------------*/
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	939
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	940	/*
				941	NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
				942	character set, and the PHP developers said they were not back porting the
				943	fix to versions other than PHP 5.x.
				944	*/
Derek Jones	303c9cb	2007-07-12 19:12:37 +0000	[diff] [blame]	945	function _html_entity_decode($str, $charset='UTF-8')
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	946	{
				947	if (stristr($str, '&') === FALSE) return $str;
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	948
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	949	// The reason we are not using html_entity_decode() by itself is because
				950	// while it is not technically correct to leave out the semicolon
				951	// at the end of an entity most browsers will still interpret the entity
				952	// correctly. html_entity_decode() does not convert entities without
				953	// semicolons, so we are left with our own little solution here. Bummer.
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	954
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	955	if (function_exists('html_entity_decode') && (strtolower($charset) != 'utf-8' OR version_compare(phpversion(), '5.0.0', '>=')))
				956	{
				957	$str = html_entity_decode($str, ENT_COMPAT, $charset);
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	958	$str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	959	return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
				960	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	961
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	962	// Numeric Entities
Derek Jones	63fc5fe	2008-05-15 20:13:14 +0000	[diff] [blame]	963	$str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	964	$str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	965
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	966	// Literal Entities - Slightly slow so we do another check
				967	if (stristr($str, '&') === FALSE)
				968	{
				969	$str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
				970	}
Derek Allard	15dcf49	2008-05-12 21:37:04 +0000	[diff] [blame]	971
Derek Allard	a72b60d	2007-01-31 23:56:11 +0000	[diff] [blame]	972	return $str;
				973	}
				974
				975	}
				976	// END Input class
Derek Jones	53437de	2008-05-12 18:07:08 +0000	[diff] [blame]	977
				978	/* End of file Input.php */
Derek Jones	a3ffbbb	2008-05-11 18:18:29 +0000	[diff] [blame]	979	/* Location: ./system/libraries/Input.php */