Package: XSS_Clean

Class: XSS_Clean

source file: /includes/XSSClean.php

Class Overview


Sanitizes data so that Cross Site Scripting Hacks can be prevented.

Author(s):

  • EllisLab Dev Team

Copyright:

  • Copyright (c) 2008 - 2012, EllisLab, Inc. (http://ellislab.com/)

Methods

Child classes:

Zebra_Form_Control
A generic class containing common methods, shared by all the controls.

Class methods

method sanitize()

string sanitize ( string $str , [ $rawurldecode = true] )

Sanitizes submitted data so that Cross Site Scripting Hacks can be prevented.

This class is taken from the CodeIgniter PHP Framework, version 2.1.2.

This method is automatically run for each control when calling validate(), unless specifically disabled by disable_xss_filters())!

Following is the original documentation of the class, as found in CodeIgniter:

Sanitizes data so that Cross Site Scripting Hacks can be prevented. This function does a fair amount of work but it is extremely thorough, designed to prevent even the most obscure XSS attempts. Nothing is ever 100% foolproof, of course, but I haven't been able to get anything passed the filter.

Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing.

This function was based in part on some code and ideas I got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention

To help develop this script I used this great list of vulnerabilities along with a few other hacks I've harvested from examining vulnerabilities in other programs: http://ha.ckers.org/xss.html

Tags:
return: Returns filtered string
Parameters:
string $str String to be filtered
$rawurldecode
Top