Friday, July 16, 2010

Documentation of Codeigniter My Input Library

Codeigniter Input Library comes up with many great security features. But it still lacks some of the security concerns. We have discussed those in our blog earlier. So, I have created an extended input library to minimize those security holes.

I have extend the xss_clean method of input class. and added some advanced level of security fixes. We have replaced the following code for naughty words in the xss_clean method.


/*
  * Sanitize naughty HTML elements
  *
  * If a tag containing any of the words in the list
  * below is found, the tag gets converted to entities.
  *
  * Becomes: <blink>
  *
        */
        $naughty = '\w*';
        $str = preg_replace_callback('#<(\w*/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
instead of
/*
  * Sanitize naughty HTML elements
  *
  * If a tag containing any of the words in the list
  * below is found, the tag gets converted to entities.
  *
  * Becomes: <blink>
  *
  */
  $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
  $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);

Here In the input library we have defined many HTML keywords which will be treated as naughty keywords. But there are many more keywords which will do massive damage to our site. Like, the header tags 'h1', as we mentioned about the probable attack of it in our blog post earlier. So, I have treated every html words as naughty and convert them. In this regard, we use regular expression to check for any word character and it can occur any number of time.
\w*
See also: Download Codeigniter My input library from here.
See the book OpenCart 1.4 Template Design Cookbook.
See the book Joomla Mobile Development Beginners Guide




List of my works:

Opencart Extensions:

  1. Product Based Quantity Wise Shipping: Find it here.
  2. OpenSSLCOMMERZ: integrate SSLCOMMERZ with opencart: Find it here.
  3. Fine Search v.1.0 - Improves Opencart search feature to find relevant: Find it here.
  4. Opensweetcaptcha - An easy way to generate attractive captcha for your system!: Find it here.
  5. Custom Field Product - add unlimited custom fields to the product form: Find it here.
  6. Formcaptcha - add captcha on the register page: Find it here.

My Books:

  1. OpenCart 1.4 Template Design Cookbook.
  2. Joomla Mobile Development Beginners Guide

No comments: