docs/classes/security.html at develop · royappa/docs

393 lines (377 loc) · 10.3 KB
<!DOCTYPE html>
	<meta charset="utf-8">
	<title>Security Class - Fuel Documentation</title>
	<link href="../assets/css/main.css" media="screen" rel="stylesheet" />
	<script type="text/javascript" src="../assets/js/jquery-1.4.4.min.js"></script>
	<script type="text/javascript" src="../assets/js/nav.js"></script>
	<script type="text/javascript" src="../assets/js/highlight.pack.js"></script>
	<script type="text/javascript">
		$(function() {
			show_nav('classes', '../');
		hljs.tabReplace = '    ';
		hljs.initHighlightingOnLoad();
		<h1>Fuel Documentation</h1>
	<div id="main-nav"></div>
	<section id="content">
		<h2>Security Class</h2>
		<p>The security class allows you to have CSRF protection in your application.</p>
		<section>
			<h2>Configuration</h2>
				The security class is configured through the security section of the <kbd>app/config/config.php</kbd> configuration file.
			<p>The following security configuration settings can be defined:</p>
			<table class="config">
				<tbody>
					<tr class="header">
						<th>Param</th>
						<th>Type</th>
						<th>Default</th>
						<th>Description</th>
						<th>csrf_autoload</th>
						<td>boolean</td>
						<td><pre class="php"><code>true</code></pre></td>
							When true, load and check the CSRF token using check_token() automatically.
						</td>
						<th>csrf_token_key</th>
						<td>string</td>
						<td><pre class="php"><code>'fuel_csrf_token'</code></pre></td>
							Name used for the CSRF token cookie, and the name of the form field containing the token.
						</td>
						<th>csrf_expiration</th>
						<td>integer</td>
						<td><pre class="php"><code>0</code></pre></td>
							Expiration time for the CRSF token cookie. Default, the cookie expires at end of browser session.
						</td>
						<th>uri_filter</th>
						<td>array</td>
						<td><pre class="php"><code>array('htmlentities')</code></pre></td>
							Array of callable items (PHP functions, object methods, static class methods) used to filter the URI. By default, it uses PHP's htmlentities internal function.
						</td>
						<th>input_filter</th>
						<td>array</td>
						<td><pre class="php"><code>array()</code></pre></td>
							Array of callable items (PHP functions, object methods, static class methods) used to filter $_GET, $_POST and $_COOKIE. By default, no input filters are defined.
						</td>
						<th>auto_encode_view_data</th>
						<td>boolean</td>
						<td><pre class="php"><code>true</code></pre></td>
							When true, all variables passed on to view objects are automatically encoded.
						</td>
						<th>whitelisted_classes</th>
						<td>array</td>
						<td><pre class="php"><code>array('stdClass', 'Fuel\\Core\\View',<br /> 'Fuel\\Core\\ViewModel', 'Closure')</code></pre></td>
							When auto encoding of view variables is enabled, you can run into issues when passing objects to the view. Classes defined in this
							array will be exempt from auto encoding.
						</td>
				</tbody>
			</table>
		</section>
		<article>
			<h4 id="method_check_token">check_token($value = null)</h4>
			<p>The <strong>check_token</strong> method allows you to check the CSRF token.<br />
			Check token also ensures a token is present and will reset the token for the next session when it receives
			a value to check (no matter the result of the check).</p>
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
						<table class="parameters">
							<tr>
								<th>Param</th>
								<th>Default</th>
								<th class="description">Description</th>
							</tr>
							<tr>
								<th><kbd>$value</kbd></th>
								<td><pre class="php"><code>null</code></pre></td>
								<td>CSRF token to be checked, checks value from POST when empty.</td>
							</tr>
						</table>
					<th>Returns</th>
					<td>boolean</td>
					<th>Example</th>
						<pre class="php"><code>Security::check_token();</code></pre>
				</tbody>
			</table>
		</article>
		<article>
			<h4 id="method_fetch_token">fetch_token()</h4>
			<p>The <strong>fetch_token</strong> method allows you to fetch the CSRF token from the cookie.</p>
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
					<td>None</td>
					<th>Returns</th>
					<td>string</td>
					<th>Example</th>
						<pre class="php"><code>$csrf_token = Security::fetch_token();</code></pre>
				</tbody>
			</table>
		</article>
		<article>
			<h4 id="method_js_fetch_token">js_fetch_token()</h4>
			<p>The <strong>js_fetch_token</strong> method allows you to produce JavaScript fuel_csrf_token() function that will return the current CSRF token when called. Use to fill right field on form submit for AJAX operations.</p>
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
					<td>None</td>
					<th>Returns</th>
					<td>string</td>
					<th>Example</th>
						<pre class="php"><code>echo Security::js_fetch_token();</code></pre>
				</tbody>
			</table>
		</article>
		<article>
			<h4 id="method_clean">clean($value, $filters)</h4>
			<p>The <strong>clean</strong> method allows you clean data using the filters provided.</p>
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
						<table class="parameters">
							<tr>
								<th>Param</th>
								<th>Default</th>
								<th class="description">Description</th>
							</tr>
							<tr>
								<th><kbd>$value</kbd></th>
								<td><i>Required</i></td>
								<td>The value to be cleaned. This can be a string value, or an array of string values.</td>
							</tr>
							<tr>
								<th><kbd>$filters</kbd></th>
								<td><i>Required</i></td>
								<td>
									The filters to be used to clean the string(s). A filter can be a single value, or an array of values. Each value must be a valid PHP callback.
									You may specify functions ('htmlentities'), objects ($this), or static methods ('Classname::method').
								</td>
							</tr>
						</table>
					<th>Returns</th>
					<td>string</td>
					<th>Example</th>
						<pre class="php"><code>// first strip tags, convert html entities in the remaining data, and finish it off using our special cleaning solution
$filters = array('strip_tags', 'html_entities', '\\cleaners\\soap::clean');
$text = Security::clean($text, $filters);</code></pre>
				</tbody>
			</table>
		</article>
		<article>
			<h4 id="method_strip_tags">strip_tags($value)</h4>
			<p>The <strong>strip_tags</strong> method allows you to strip HTML and PHP tags from a string.</p>
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
						<table class="parameters">
							<tr>
								<th>Param</th>
								<th>Default</th>
								<th class="description">Description</th>
							</tr>
							<tr>
								<th><kbd>$value</kbd></th>
								<td><i>Required</i></td>
								<td>The input string.</td>
							</tr>
						</table>
					<th>Returns</th>
					<td>string</td>
					<th>Example</th>
						<pre class="php"><code>$text = '&lt;p&gt;Test paragraph.&lt;/p&gt;';
$text = Security::strip_tags($text);</code></pre>
				</tbody>
			</table>
		</article>
		<article>
			<h4 id="method_xss_clean">xss_clean($value)</h4>
			<p>The <strong>xss_clean</strong> method allows you to strip dangerous HTML tags from a string, using the HTMLawed library.</p>
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
						<table class="parameters">
							<tr>
								<th>Param</th>
								<th>Default</th>
								<th class="description">Description</th>
							</tr>
							<tr>
								<th><kbd>$value</kbd></th>
								<td><i>Required</i></td>
								<td>The input string.</td>
							</tr>
						</table>
					<th>Returns</th>
					<td>string</td>
					<th>Example</th>
						<pre class="php"><code>$text = '&lt;SCRIPT&gt;alert("XSS attack!")&lt;/SCRIPT&gt;';
$text = Security::xss_clean($text);</code></pre>
				</tbody>
			</table>
		</article>
		<article>
			<h4 id="method_htmlentities">htmlentities($value)</h4>
				The <strong>htmlentities</strong> method allows you to escape HTML entities. This method operates identical to PHP's htmlentities() function
				but supports array's and objects as well.
			<table class="method">
				<tbody>
					<th class="legend">Static</th>
					<td>Yes</td>
					<th>Parameters</th>
						<table class="parameters">
							<tr>
								<th>Param</th>
								<th>Default</th>
								<th class="description">Description</th>
							</tr>
							<tr>
								<th><kbd>$value</kbd></th>
								<td><i>Required</i></td>
								<td>The input value.</td>
							</tr>
						</table>
					<th>Returns</th>
					<td>mixed</td>
					<th>Throws</th>
					<td><strong>RuntimeException</strong>, in case an object has been passed that can't be cast as string.</td>
					<th>Example</th>
						<pre class="php"><code>$text = '&lt;p&gt;Test paragraph.&lt;/p&gt;';
$text = Security::htmlentities($text);</code></pre>
				</tbody>
			</table>
		</article>
	</section>
	<section id="footer">
			<a href="http://fuelphp.com">Fuel</a> is released under the MIT license.<br />
			&copy; 2010 - 2011 Fuel Development Team
	</section>
Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FilesExpand file tree

security.html

Latest commit

History

security.html

File metadata and controls
