CodeIgniter Forums
class CI_Input - function xss_clean($str) - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: class CI_Input - function xss_clean($str) (/showthread.php?tid=2568)

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]koala1[/eluser]
Code Igniter 1.5.4
Code:
$str="javascript";
Code:
$words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
        foreach ($words as $word)
        {
            $temp = '';
            $strlen_word = strlen($word);
            for ($i = 0; $i < $strlen_word; $i++)
            {
                $temp .= substr($word, $i, 1)."\s*";
            }
            
            // We only want to do this when it is followed by a non-word character
            // That way valid stuff like "dealer to" does not become "dealerto"
            $str = preg_replace('#('.substr($temp, 0, -3).')(\W)#ise', "preg_replace('/\s+/s', '', '\\1').'\\2'", $str);
        }
Code:
echo "str -> ".$str."<br />"; // output => javascript <= with spaces

Code Igniter 1.4.1
Code:
$str="javascript";
Code:
$words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
        foreach ($words as $word)
        {
            $temp = '';
            $count = strlen($word);
            for ($i = 0; $i < $count; $i++)
            {
                $temp .= substr($word, $i, 1)."\s*";
            }
            
            $temp = substr($temp, 0, -3);
            $str = preg_replace('#'.$temp.'#s', $word, $str);
            $str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
        }
Code:
echo "str -> ".$str."<br />"; // output => javascript <= without spaces


class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]coolfactor[/eluser]
Please elaborate on your post. It's not clear what you're trying to say or pointing out.

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]Derek Allard[/eluser]
the xss_clean function went through a bit of a change to make it more secure. I'm with Coolfactor here... what are you trying to demonstrate?

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]koala1[/eluser]
CI 1.5.4
Code:
// INPUT - with spaces "javascript"
$str="javascript";
Code:
// OUTPUT - with spaces
echo "str -> ".$str."<br />";  // => javascript

CI 1.4.1
Code:
// INPUT - with spaces "javascript"
$str="javascript";
Code:
// OUTPUT - without spaces
echo "str -> ".$str."<br />";  // => javascript


class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]coolfactor[/eluser]
koala, please use your words. What are you pointing out? I still don't see it.

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]johnwbaxter[/eluser]
I think perhaps he is a mime in his day job and that has somehow carried over to his coding.....

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]coolfactor[/eluser]
Something to do with the "with" and "without" spaces, where the code is the opposite? A wild guess.

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]johnwbaxter[/eluser]
It's a bit like skippy the kangaroo.

"what is it skip? is billy down the well?"

"what is it koala1? are you saying that the old way of doing it is better than the new way?"

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]koala1[/eluser]
Code:
/*
         * Compact any exploded words
         *
         * This corrects words like:  javascript
         * These words are compacted back to their correct state.
         *
         */
Sorry I speak english only little.

If You use in 1.5.4 in $str words like "javascript" with spaces in this word, in OUTPUT You have also this word WITH SPACES.

In CI 1.4.1 - in $str - "javascript" with spaces, OTPUT = words WITHOUT SPACES

class CI_Input - function xss_clean($str) - El Forum - 08-13-2007

[eluser]Derek Jones[/eluser]
The code comment clarifies what this is doing; it will only compact these 'naughty' words when followed by a non-word character. So for instance the phrase ('alert' with space bolded for emphasis):

Quote:I looked at the dealer&nbsp;to hand me my cards

Does not get output as:

Quote:I looked at the dealerto hand me my cards

But this phrase:

Quote:blah blah blah a&nbsp;ler t( blah blah blah

Will compact the word 'alert' properly so it can be sanitized:

Quote:blah blah blah alert( blah blah blah