Legacy Documentation
You are using the documentation for version 3.5.17. Go here for the latest version or check here for your available upgrades to the latest version.
Security Class¶
Calling the Security Class¶
-
class
Security
¶ This class is initialized automatically.
Cross Site Scripting Protection¶
For general XSS protection handling, please refer to the Cross Site Scripting section of the security guidelines.
-
Security::
xss_clean
($str[, $is_image = FALSE])¶ xss_clean()
is the built in ExpressionEngine XSS sanitization method, which is constantly tweaked for improved security and performance:$str = ee()->security->xss_clean($str);
Parameters: - $str (mixed) – Either a string or an array to sanitize
- $is_image (boolean) – Set to
TRUE
if you want to test images for XSS attacks.
Returns: Either a string or an array of sanitized strings. If
$is_image
is set toTRUE
, will returnFALSE
if the image fails the check.Return type: Mixed
Cross Site Request Forgery Protection¶
For general CSRF protection handling, please refer to the Cross Site Request Forgery section of the security guidelines.
-
Security::
restore_xid
([$xid = REQUEST_XID])¶ Deprecated since version 2.8: CSRF Tokens are now multi-use.
By default all XIDs are single use tokens. In some cases you may want to allow reuse of the token. To do this you can call
restore_xid()
at any point during the request that consumed the token.ee()->security->restore_xid();
Other Class Methods¶
-
Security::
sanitize_filename
($str[, $relative_path = FALSE])¶ Removes naughty characters from filenames. Returns a sanitized string:
$filename = ee()->security->sanitize_filename($name);
Parameters: - $str (string) – Filename to sanitize
- $relative_path (boolean) – Set to
TRUE
if you want to validate a filename with a relative path
Returns: Sanitized filename
Return type: String
-
Security::
xss_hash
()¶ Returns a random hash:
echo ee()->security->xss_hash();
Returns: Random hash Return type: String