• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
class CI_Input - function xss_clean($str)

#1
[eluser]koala1[/eluser]
Code Igniter 1.5.4
Code:
$str="javascript";
Code:
$words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
        foreach ($words as $word)
        {
            $temp = '';
            $strlen_word = strlen($word);
            for ($i = 0; $i < $strlen_word; $i++)
            {
                $temp .= substr($word, $i, 1)."\s*";
            }
            
            // We only want to do this when it is followed by a non-word character
            // That way valid stuff like "dealer to" does not become "dealerto"
            $str = preg_replace('#('.substr($temp, 0, -3).')(\W)#ise', "preg_replace('/\s+/s', '', '\\1').'\\2'", $str);
        }
Code:
echo "str -> ".$str."<br />"; // output => javascript <= with spaces

Code Igniter 1.4.1
Code:
$str="javascript";
Code:
$words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
        foreach ($words as $word)
        {
            $temp = '';
            $count = strlen($word);
            for ($i = 0; $i < $count; $i++)
            {
                $temp .= substr($word, $i, 1)."\s*";
            }
            
            $temp = substr($temp, 0, -3);
            $str = preg_replace('#'.$temp.'#s', $word, $str);
            $str = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $str);
        }
Code:
echo "str -> ".$str."<br />"; // output => javascript <= without spaces

#2
[eluser]coolfactor[/eluser]
Please elaborate on your post. It's not clear what you're trying to say or pointing out.

#3
[eluser]Derek Allard[/eluser]
the xss_clean function went through a bit of a change to make it more secure. I'm with Coolfactor here... what are you trying to demonstrate?

#4
[eluser]koala1[/eluser]
CI 1.5.4
Code:
// INPUT - with spaces "javascript"
$str="javascript";
Code:
// OUTPUT - with spaces
echo "str -> ".$str."<br />";  // => javascript

CI 1.4.1
Code:
// INPUT - with spaces "javascript"
$str="javascript";
Code:
// OUTPUT - without spaces
echo "str -> ".$str."<br />";  // => javascript

#5
[eluser]coolfactor[/eluser]
koala, please use your words. What are you pointing out? I still don't see it.

#6
[eluser]johnwbaxter[/eluser]
I think perhaps he is a mime in his day job and that has somehow carried over to his coding.....

#7
[eluser]coolfactor[/eluser]
Something to do with the "with" and "without" spaces, where the code is the opposite? A wild guess.

#8
[eluser]johnwbaxter[/eluser]
It's a bit like skippy the kangaroo.

"what is it skip? is billy down the well?"

"what is it koala1? are you saying that the old way of doing it is better than the new way?"

#9
[eluser]koala1[/eluser]
Code:
/*
         * Compact any exploded words
         *
         * This corrects words like:  javascript
         * These words are compacted back to their correct state.
         *
         */
Sorry I speak english only little.

If You use in 1.5.4 in $str words like "javascript" with spaces in this word, in OUTPUT You have also this word WITH SPACES.

In CI 1.4.1 - in $str - "javascript" with spaces, OTPUT = words WITHOUT SPACES

#10
[eluser]Derek Jones[/eluser]
The code comment clarifies what this is doing; it will only compact these 'naughty' words when followed by a non-word character. So for instance the phrase ('alert' with space bolded for emphasis):

Quote:I looked at the dealer&nbsp;to hand me my cards

Does not get output as:

Quote:I looked at the dealerto hand me my cards

But this phrase:

Quote:blah blah blah a&nbsp;ler t( blah blah blah

Will compact the word 'alert' properly so it can be sanitized:

Quote:blah blah blah alert( blah blah blah


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.