input The suite you need to clean the input coming from users

  1. Note
  2. Requirements
  3. Usage
  4. Available methods
  5. Installation:

This component is everything you need in order to be sure that the input coming from your users is santitized and the data is safe.
It wraps HtmlPurifier and Codeigniter Security class in a single component that does an awesome job.
Regarding Codeigniter Security class, it has the best xss filter that i know of(excepting html purifier) and it is very fast (comparing to html purifier).
Why including both you may ask, well, the answer is simple, the HtmlPurifier being a large and kind of slow library, it is used only for HTML content cleaning, say a textarea from CKEDITOR or TINYMCE, while Codeigniter XSS filter is used for any other input type because it is way faster and does the job as it should.

Note

This extension is not meant to protect you against sql injection, use Yii's param binding feature for that.

Requirements

Yii 1.1.x

Usage

Say we have a model having a CKEDITOR textarea and other text fields that doesn't allow any html content. We need to use html purifier to be sure the CKEDITOR textarea is treated correctly, but we also need to be sure that the other fields are stripped of html and also cleaned so that the cannot contain dangerous data.

if(isset($_POST['Example']))  
{
    $purify=array('content');  
    foreach($_POST['Example'] AS $key=>$value)  
    {  
        if(in_array($key, $purify))  
            $_POST['Example'][$key]=Yii::app()->input->purify($value);  
        else  
            $_POST['Example'][$key]=Yii::app()->input->stripClean($value);  
    }  
      
    $model->attributes=$_POST['Example'];  
      
	if($model->save())  
		$this->redirect(array('view','id'=>(int)$model->id));  
}

In case our model doesn't have a textarea having HTML content, we can just clean everything from one move:

if(isset($_POST['Example']))  
{
  
    // this will apply stripTags() then xssClean() methods to the array.  
    $_POST['Example']=Yii::app()->input->stripClean($_POST['Example']);  

    // also you can do:  
    $_POST['Example']=Yii::app()->input->xssClean($_POST['Example']);      

    $model->attributes=$_POST['Example'];  
      
	if($model->save())  
		$this->redirect(array('view','id'=>(int)$model->id));  
}

Handling $_GET and $_POST. Say you want to get a $_GET/$_POST variable and use it:

$post=Yii::app()->input->post('username');  
$get=Yii::app()->input->get('username');  

In both cases, the $_POST['username'] and $_GET['username'] are sanitized and returned.

Available methods

/*    
*   1) HtmlPurifier Filter.  
*   Method: purify($str);
*/  
$clean=Yii::app()->input->purify($string);    
$clean=Yii::app()->input->purify($array);  
  
/*  
*   2) XssClean Filter  
*   Method: xssClean($str);
*   This will use the Codeigniter Xss Filter to clean the content   
*/  
$clean=Yii::app()->input->xssClean($string);  
$clean=Yii::app()->input->xssClean($array);  
  
/*  
*   3) stripTags($str, $encode=false)  
*   This is a wrapper for strip_tags but it also supports an array as it's param  
*/  
$clean=Yii::app()->input->stripTags($string);  
$clean=Yii::app()->input->stripTags($array);  
  
/*  
*   4) stripClean($str)  
*   This will use the above stripTags() method, then the xssClean() method.  
*/  
$clean=Yii::app()->input->stripClean($string);  
$clean=Yii::app()->input->stripClean($array);  

/*
*   5) stripCleanEncode($str)  
*   Similar to the above stripClean() method, only it also encodes the input  
*/  
$clean=Yii::app()->input->stripCleanEncode($string);  
$clean=Yii::app()->input->stripCleanEncode($array);  

/*  
*   6) encode($str)  
*   A wrapper for CHtml::encode() but also can take an array as param  
*/  
$clean=Yii::app()->input->encode($string);  
$clean=Yii::app()->input->encode($array);  

/*  
*   7) get($str, $defaultValue='', $xssClean=true)  
*   The get() method will fetch a $_GET item, clean and return it
*/  
$clean=Yii::app()->input->get($string);  

/*  
*   8) post($str, $defaultValue='', $xssClean=true)  
*   The post() method will fetch a $_POST item, clean and return it
*/  
$clean=Yii::app()->input->post($string);  

/*  
*   9) getPost($str, $defaultValue='', $xssClean=true)  
*   The getPost() method will try to fetch a $_GET item, if it doesn't exists, it'll try a $_POST item.  
*   The returned content is cleaned.
*/  
$clean=Yii::app()->input->getPost($string);  

Installation:

1)
Extract the archive and paste the contents of the "protected" folder from within the archive over your project protected folder.
The archive protected folder contains :
/config/htmlpurifier.php
/components/CmsInput.php
/vendors/Codeigniter/CI_Security.php

Note on htmlpurifier.php from config folder.
This file is the configuration for HtmlPurifier, so if you want to add extra configuration for the purifier, do it in this file.

2)
Open main.php and make it look like:

'preload'=>array('log', 'input'),  
'components'=>array(  
    [...]  
    'input'=>array(   
            'class'         => 'CmsInput',  
            'cleanPost'     => false,  
            'cleanGet'      => false,   
        ),
    [...]  
),  

The component has the ability to be used as a global cleaning tool, so that if you set:

'input'=>array(   
            'class'         => 'CmsInput',  
            'cleanPost'     => true,  
            'cleanGet'      => true,  
        ),

The $_GET/$_POST will be cleaned right when the application starts, at the onBeginRequest event.
In case you use this approach (i wouldn't recommend it, but there are cases when you might need it) you should know that the $_GET/$_POST are cleaned using Yii::app()->input->xssClean() which might remove HTML markup that you want to keep. If this happens, you have following methods available to access the original global arrays:

Yii::app()->input->getOriginalPost();//returns the original, uncleaned $_POST array()  
Yii::app()->input->getOriginalGet();//returns the original, uncleaned $_GET array()   
Changelog

VERSION 1.1

  • Added public $cleanMethod, which allows to specify which filter should be used to clean globals.You can use the following methods for cleaning:

->stripCleanEncode();
->stripTags();
->stripClean(); //default one
->xssClean();
->encode();
->purify();
->cleanEncode();
->stripEncode();

  • Added stripEncode method, which will strip tags and encode.
  • Added cleanEncode method that will xssClean and encode
  • Added decode method to decode a string/array
  • post/get methods can now retrieve the entire array at once
  • getOriginalPost()/getOriginalGet() can retrieve a single key or the entire array
  • Fixed a bug in the encode method
  • Added logging for global filtering
  • The cleaning of the globals is now set to true by default, it is safer this way
  • Other various changes.
Changelog for 1.2
  • added getQuery(), a wrapper for get() to be more yii like.
  • getPost will now retrieve a value from $_POST, being a post() wrapper to be more yii like.
  • fixed a bug in get/post where if the $defaultValue was set and the variable didn't existed  it would return an empty string(thanks to Wiseon3 [http://www.yiiframework.com/user/13664/] who pointed it out)
  • logging will occur just in debug mode from now on.
  • changed the default cleaning method to from stripCleanEncode to stripClean
Changelog for 1.3
  • Updated CodeIgniter Security class
  • Improved the stripTags method so that encoded chars won't go through anymore (thanks Jos Wetzels (a.l.g.m.wetzels@gmail.com))

This is a pretty large component, so it might take a while to fully understand how it works, but in the end, it is a tool that is needed to be sure the user input is sanitized and clean.

Also, worth taking a look inside the CmsInput.php file to understand it better.

36 0
56 followers
3 445 downloads
Yii Version: 1.1
License: (not set)
Category: Security
Developed by: twisted1919
Created on: Jun 4, 2011
Last updated: 3 years ago

Downloads

show all

Related Extensions