Modules

  1. Kohana
    2. I18n
    3. Kohana
    4. Kohana_Core
    5. Request
    6. Route
    7. UTF8
    8. View
    9. Cache
      1. Cache_Xcache
    10. Configuration
      1. Kohana_Config
      2. Kohana_Config_File
      3. Kohana_Config_Reader
    11. Controller
      1. Controller
      2. Controller_REST
      3. Controller_Template
      4. Controller_Welcome
    12. Exceptions
      1. Kohana_Exception
      2. Kohana_Request_Exception
      3. Kohana_View_Exception
      4. Validate_Exception
    13. Helpers
      1. Arr
      2. CLI
      3. Cookie
      4. Date
      5. Feed
      6. File
      7. Form
      8. Fragment
      9. HTML
      10. Inflector
      11. Num
      12. Profiler
      13. Remote
      14. Text
      15. URL
      16. Upload
    14. Logging
      1. Kohana_Log
      2. Kohana_Log_File
      3. Kohana_Log_StdErr
      4. Kohana_Log_StdOut
      5. Kohana_Log_Syslog
      6. Kohana_Log_Writer
    15. Models
      1. Model
    16. Security
      1. Encrypt
      2. Security
      3. Validate
    17. Session
      1. Session
      2. Session_Cookie
      3. Session_Native
  2. Kohana/Auth
    2. Auth
    3. Auth_File
    4. Auth_ORM
    5. Model_Auth_Role
    6. Model_Auth_User
    7. Model_Auth_User_Token
    8. Model_Role
    9. Model_User
    10. Model_User_Token
  3. Kohana/Cache
    2. Cache
    3. Cache_Apc
    4. Cache_Eaccelerator
    5. Cache_File
    6. Cache_Memcache
    7. Cache_MemcacheTag
    8. Cache_Sqlite
    9. Cache_Wincache
    10. Kohana_Cache_Exception
    11. Kohana_Cache_GarbageCollect
    12. Kohana_Cache_Tagging
  4. Kohana/Codebench
    2. Codebench
    3. Controllers
      1. Controller_Codebench
    4. Tests
      1. Bench_ArrCallback
      2. Bench_AutoLinkEmails
      3. Bench_DateSpan
      4. Bench_ExplodeLimit
      5. Bench_GruberURL
      6. Bench_LtrimDigits
      7. Bench_MDDoBaseURL
      8. Bench_MDDoImageURL
      9. Bench_MDDoIncludeViews
      10. Bench_StripNullBytes
      11. Bench_Transliterate
      12. Bench_URLSite
      13. Bench_UserFuncArray
      14. Bench_ValidColor
      15. Bench_ValidURL
  5. Kohana/Database
    2. DB
    3. Database
    4. Database_Expression
    5. Configuration
      1. Kohana_Config_Database
    6. Drivers
      1. Database_MySQL
      2. Database_PDO
    7. Exceptions
      1. Database_Exception
    8. Query
      1. Database_Query
      2. Database_Query_Builder
      3. Database_Query_Builder_Delete
      4. Database_Query_Builder_Insert
      5. Database_Query_Builder_Join
      6. Database_Query_Builder_Select
      7. Database_Query_Builder_Update
      8. Database_Query_Builder_Where
    9. Query/Result
      1. Database_MySQL_Result
      2. Database_Result
      3. Database_Result_Cached
    10. Session
      1. Session_Database
  6. Kohana/Image
    2. Image
    3. Drivers
      1. Image_GD
  7. Kohana/OAuth
    2. OAuth
    3. OAuth_Consumer
    4. OAuth_Response
    5. Exceptions
      1. Kohana_OAuth_Exception
    6. Provider
      1. OAuth_Provider
      2. OAuth_Provider_Google
      3. OAuth_Provider_Twitter
    7. Request
      1. OAuth_Request
      2. OAuth_Request_Access
      3. OAuth_Request_Authorize
      4. OAuth_Request_Credentials
      5. OAuth_Request_Resource
      6. OAuth_Request_Token
    8. Server
      1. Kohana_OAuth_Server
    9. Signature
      1. OAuth_Signature
      2. OAuth_Signature_HMAC_SHA1
      3. OAuth_Signature_PLAINTEXT
    10. Token
      1. OAuth_Token
      2. OAuth_Token_Access
      3. OAuth_Token_Request
  8. Kohana/ORM
    2. ORM
  9. Kohana/Pagination
    2. Pagination
  10. Kohana/Userguide
    2. Kodoc
    3. Kodoc_Class
    4. Kodoc_Markdown
    5. Kodoc_Method
    6. Kodoc_Method_Param
    7. Kodoc_Property
    8. Controllers
      1. Controller_Userguide
    9. Undocumented
      1. Kodoc_Missing

Kohana_Security

Security helper class.

package
Kohana
category
Security
author
Kohana Team
copyright
© 2007-2010 Kohana Team
license
http://kohanaframework.org/license

Class declared in SYSPATH/classes/kohana/security.php on line 11.

Constants

  • None

Properties

Methods

Properties

public static string $token_name

key name used for token storage

string(14) "security_token"

Methods

public static check( string $token ) (defined in Kohana_Security)

Check that the given token matches the currently stored security token.

if (Security::check($token))
{
    // Pass
}

Parameters

  • string $token required - Token to check

Tags

Return Values

  • boolean

Source Code

public static function check($token)
{
	return Security::token() === $token;
}

public static encode_php_tags( string $str ) (defined in Kohana_Security)

Encodes PHP tags in a string.

$str = Security::encode_php_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

public static function encode_php_tags($str)
{
	return str_replace(array('<?', '?>'), array('&lt;?', '?&gt;'), $str);
}

public static strip_image_tags( string $str ) (defined in Kohana_Security)

Remove image tags from a string.

$str = Security::strip_image_tags($str);

Parameters

  • string $str required - String to sanitize

Return Values

  • string

Source Code

public static function strip_image_tags($str)
{
	return preg_replace('#<img\s.*?(?:src\s*=\s*["\']?([^"\'<>\s]*)["\']?[^>]*)?>#is', '$1', $str);
}

public static token( [ boolean $new = bool FALSE ] ) (defined in Kohana_Security)

Generate and store a unique token which can be used to help prevent CSRF attacks.

$token = Security::token();

You can insert this token into your forms as a hidden field:

echo Form::hidden('csrf', Security::token());

And then check it when using Validate:

$array->rules('csrf', array(
    'not_empty'       => NULL,
    'Security::check' => NULL,
));

This provides a basic, but effective, method of preventing CSRF attacks.

Parameters

  • boolean $new = bool FALSE - Force a new token to be generated?

Tags

Return Values

  • string

Source Code

public static function token($new = FALSE)
{
	$session = Session::instance();

	// Get the current token
	$token = $session->get(Security::$token_name);

	if ($new === TRUE OR ! $token)
	{
		// Generate a new unique token
		$token = sha1(uniqid(NULL, TRUE));

		// Store the new token
		$session->set(Security::$token_name, $token);
	}

	return $token;
}

public static xss_clean( mixed $str ) (defined in Kohana_Security)

Remove XSS from user input.

$str = Security::xss_clean($str);

Parameters

  • mixed $str required - String or array to sanitize

Tags

  • Author - Christian Stocker [email protected]>
  • Copyright - © 2001-2006 Bitflux GmbH
  • Deprecated - since v3.0.5

Return Values

  • string

Source Code

public static function xss_clean($str)
{
	// http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
	// +----------------------------------------------------------------------+
	// | Copyright (c) 2001-2006 Bitflux GmbH                                 |
	// +----------------------------------------------------------------------+
	// | Licensed under the Apache License, Version 2.0 (the "License");      |
	// | you may not use this file except in compliance with the License.     |
	// | You may obtain a copy of the License at                              |
	// | http://www.apache.org/licenses/LICENSE-2.0                           |
	// | Unless required by applicable law or agreed to in writing, software  |
	// | distributed under the License is distributed on an "AS IS" BASIS,    |
	// | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or      |
	// | implied. See the License for the specific language governing         |
	// | permissions and limitations under the License.                       |
	// +----------------------------------------------------------------------+
	// | Author: Christian Stocker <[email protected]>                        |
	// +----------------------------------------------------------------------+
	//
	// Kohana Modifications:
	// * Changed double quotes to single quotes, changed indenting and spacing
	// * Removed magic_quotes stuff
	// * Increased regex readability:
	//   * Used delimeters that aren't found in the pattern
	//   * Removed all unneeded escapes
	//   * Deleted U modifiers and swapped greediness where needed
	// * Increased regex speed:
	//   * Made capturing parentheses non-capturing where possible
	//   * Removed parentheses where possible
	//   * Split up alternation alternatives
	//   * Made some quantifiers possessive
	// * Handle arrays recursively

	if (is_array($str) OR is_object($str))
	{
		foreach ($str as $k => $s)
		{
			$str[$k] = Security::xss_clean($s);
		}

		return $str;
	}

	// Remove all NULL bytes
	$str = str_replace("\0", '', $str);

	// Fix &entity\n;
	$str = str_replace(array('&amp;','&lt;','&gt;'), array('&amp;amp;','&amp;lt;','&amp;gt;'), $str);
	$str = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $str);
	$str = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $str);
	$str = html_entity_decode($str, ENT_COMPAT, Kohana::$charset);

	// Remove any attribute starting with "on" or xmlns
	$str = preg_replace('#(?:on[a-z]+|xmlns)\s*=\s*[\'"\x00-\x20]?[^\'>"]*[\'"\x00-\x20]?\s?#iu', '', $str);

	// Remove javascript: and vbscript: protocols
	$str = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $str);
	$str = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $str);
	$str = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $str);

	// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
	$str = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#is', '$1>', $str);
	$str = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#is', '$1>', $str);
	$str = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#ius', '$1>', $str);

	// Remove namespaced elements (we do not need them)
	$str = preg_replace('#</*\w+:\w[^>]*+>#i', '', $str);

	do
	{
		// Remove really unwanted tags
		$old = $str;
		$str = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $str);
	}
	while ($old !== $str);

	return $str;
}