ExpressionEngine Docs

Security Class

Calling the Security Class

class Security

This class is initialized automatically.

Cross Site Scripting Protection

For general XSS protection handling, please refer to the Cross Site Scripting section of the security guidelines.

xss_clean($str[, $is_image = FALSE])

Parameter Type Description
$str Mixed Either a string or an array to sanitize
$is_image Boolean Set to TRUE if you want to test images for XSS attacks.
Returns Mixed Either a string or an array of sanitized strings. If $is_image is set to TRUE, will return FALSE if the image fails the check.

xss_clean() is the built in ExpressionEngine XSS sanitization method, which is constantly tweaked for improved security and performance:

$str = ee()->security->xss_clean($str);

Cross Site Request Forgery Protection

For general CSRF protection handling, please refer to the Cross Site Request Forgery section of the security guidelines.

restore_xid([$xid = REQUEST_XID])

Deprecated since version 2.8: CSRF Tokens are now multi-use.

Other Class Methods

sanitize_filename($str[, $relative_path = FALSE])

Parameter Type Description
$str String Filename to sanitize
$relative_path Boolean Set to TRUE if you want to validate a filename with a relative path
Returns String Sanitized filename

Removes naughty characters from filenames. Returns a sanitized string:

$filename = ee()->security->sanitize_filename($name);

xss_hash()

Parameter Type Description
Returns String Random hash

Returns a random hash:

echo ee()->security->xss_hash();