CodeIgniter Security Class
CodeIgniter contain security class methods which will help to create a secure application and process input data. The methods are given below.
- XSS Filtering
- CSRF (Cross-site Request Forgery)
- Class Reference
XSS Filtering
XSS stands for Cross-site Scripting. It is used to disable JavaScript or other types of code that try to hijack cookies and perform other type of malicious acts. When it encounters anything harmful, it is rendered safe by converting the data to character entities.
XSS filtering uses xss_clean() method to filer data.
There is an optional second parameter, is_image, which is used to test images for XSS attacks. When this parameter is set to TRUE, it doesn’t return an altered string, instead it returns TRUE if image is safe and FALSE if it contains malicious information.
CSRF (Cross-site Request Forgery)
To enable CSRF do the following settings in application/config/config.php file.
If you are using form helper, then a hidden csrf field will be automatically inserted in your form_open()/ field.
Otherwise, you can manually add it using,
get_csrf_token_name() (it returns name of csrf) and
get_csrf_hash() (it returns value of csrf).
Generated tokens may be kept same throughout the life of CSRF cookie or may be regenerated on every submission. The default generation of token provides a better security but it also have usability concerns as other tokens like multiple tabs/windows, asynchronous actions, etc become invalid. Regeneration behavior can be set in application/config/config.php file as shown below.
Class Reference
Parameters – $str (mixed) ? input string or an array of strings
Returns – XSS-clean data
Return-type – mixed
From input data it removes XSS exploits and returns the clean string.
Parameters – $str (string) ? File name/path
$relative_path (bool) ? Whether tp preserve any directories in the file path
Returns – Sanitized file name/path
Return-type – string
It prevents directory traversal and other security threats by sanitizing filenames. It is mainly useful for files which were supplied via user input.
Parameters – $str (string) ? Input string
$charset (string) ? Character set of the input string
Returns – Entity-decoded string
Return-type – string
It tries to detect HTML entities that don’t end in a semicolon because some browser allows that.
$charset parameter is left empty, then your configure value in $config[‘charset’] will be used.
Parameters – $length (int) ? Output length
Returns – A binary system of random bytes or FALSE on failure.
Return-type – string
It is used for generating CSRF and XSS tokens.