The Input Library serves two purposes:
- It pre-processes global input data for security.
- It provides some helper handlers for fetching input data and pre-processing it.
Note: This library is initialized automatically by the system so there is no need to do it manually.
The security filtering function is called automatically when a new controller is invoked. It does the following:
- Destroys the global GET array. Since revIgniter does not utilize GET strings (unless you have the query string option enabled in your config file), there is no reason to allow it.
- Filters the POST/COOKIE array keys, permitting only alpha-numeric (and a few other) characters.
- Provides XSS (Cross-site Scripting Hacks) filtering. This can be enabled globally, or upon request.
- Standardizes newline characters to LF
revIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
Note: This function should only be used to deal with data upon submission. It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
To filter data through the XSS filter use this function:
Here is an usage example:
put rigXssClean(tData) into tData
If you want the filter to run automatically every time it encounters POST or COOKIE data you can enable it by opening your application/config/config.lc file and setting this:
put TRUE into gConfig["globalXssFiltering"]
Note: If you use the form validation library, it gives you the option of XSS filtering as well.
An optional second parameter, pImage, allows this function to be used to test images for potential XSS attacks, useful for file upload security. When this second parameter is set to TRUE, instead of returning an altered string, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.
if rigXssClean(tFile, TRUE) is FALSE then -- file failed the XSS test end if
Use this function to sanitize filenames from user input to prevent directory traversal and other security related issues. Here is an example:
put rigSanitizeFilename(rigVarPost("filename")) into tFilename
If it is acceptable for the user input to include relative paths, e.g. file/in/some/approved/folder.txt, you can set the second optional parameter, tRelativePath to TRUE.
put rigSanitizeFilename(rigVarPost("filename"), TRUE) into tFilename
Cross-site request forgery (CSRF) Protection
You can enable CSRF protection by opening your application/config/config.lc file and setting gConfig["csrf_protection"] to TRUE. When set to TRUE, token will be checked on a submitted form using the rigFormOpen() function (included in formHelper.lc) and matched with a CSRF cookie. If you are accepting user data, it is strongly recommended CSRF protection be enabled.
put TRUE into gConfig["csrf_protection"]
Using the form helper and the rigFormOpen() function will automatically insert a hidden CSRF token field in your forms.
You'll find the following CSRF related preferences in your application/config/config.lc file:
|csrf_protection||FALSE||TRUE/FALSE (boolean)||Whether to enable CSRF protection.|
|csrf_token_name||csrfTokenName||None||The name of the token to be set.|
|csrf_cookie_name||csrfCookieName||None||The name of the cookie to be set.|
|csrf_expire||7200||Time in seconds||The number in seconds from the current time the token should expire.|
Note: Keep in mind that the current time used to calculate expiration time is referenced either to your server's local time or GMT, based on the "time reference" setting in your config file.
Using POST, COOKIE, or SERVER Data
revIgniter comes with five helper functions that let you fetch POST, COOKIE or SERVER items. The main advantage of using the provided functions rather than fetching an item directly ($_POST["something"]) is that the functions will check to see if the item exists and return false (boolean) if not. This lets you conveniently use data without having to test whether an item exists first. In other words, normally you might do something like this:
if "something" is not among the keys of $_POST then put FALSE into tSomething else put $_POST["something"] into tSomething }
With revIgniter's built in functions you can simply do this:
put rigVarPost("something") into tSomething
The five functions are:
- rigVarGet() (in case you have the query string option enabled in your config file)
The first parameter will contain the name of the POST item you are looking for:
The function returns FALSE (boolean) if the item you are attempting to retrieve does not exist.
The second optional parameter lets you run the data through the XSS filter. It's enabled by setting the second parameter to boolean TRUE;
get rigVarPost("someData", TRUE)
This function is identical to the post function, only it fetches get data:
get rigVarGet("someData", TRUE)
This function will search through both the post and get streams for data, looking first in post, and then in get:
get rigVarGetPost("someData", TRUE)
This function is identical to the post function, only it fetches cookie data:
get rigVarCookie("someData", TRUE)
This function is identical to the above functions, only it fetches server data:
Dealing with LiveCode Arrays in Post Data
You can send LiveCode arrays to revIgniter using POST. For this to work the following headers must be sent along with the POST data: "Content-Type: application/lc.array" or "Content-Type: application/lc.array.compressed" respectively in case you like to send your array in compressed form.
to prepare LiveCode arrays on the client side.
Then format your data using LiveCode's libURLFormData() function like:
put libURLFormData("arrayName", tMyPreparedArray, "anotherArrayName", tMyOtherPreparedArray, "keyForSomeString", "myString") into tDataToSend
Set the correct header and send the data to revIgniter:
set the httpHeaders to "Content-Type: application/lc.array.compressed" post tDataToSend to URL "http://mysite.com/mycontroller/"
On the server side you can retrieve your data like:
put rigVarPost("arrayName") into tMyArray
Dealing with JSON in Post Data
To post JSON send "Content-Type: application/json" along with the POST data. This way there is no need to send JSON as form data.
On the server side JSON data can be retrieved from $_POST and from $_POST_RAW as well as from rigVarPost() or from rigVarPost(, TRUE) respectively.
Returns the IP address for the current user. If the IP address is not valid, the function will return an IP of: 0.0.0.0
put rigIpAddress() into tIP
Takes an IP address as input and returns TRUE or FALSE (boolean) if it is valid or not. Note: The rigIpAddress() function above validates the IP automatically.
if rigValidIP(tIP) is FALSE then put "Not Valid" into tUserIP else put "Valid" into tUserIP end if
Accepts an optional second string parameter of "IPv4" or "IPv6" to specify an IP format. The default checks for both formats.
Returns the user agent (web browser) being used by the current user. Returns FALSE if it's not available.
put rigUserAgent() into tUserAgent