public function do_xss_clean()
{
$file = $this->file_temp;
if (filesize($file) == 0) {
return FALSE;
}
if (memory_get_usage() && ($memory_limit = ini_get('memory_limit'))) {
$memory_limit *= 1024 * 1024;
// There was a bug/behavioural change in PHP 5.2, where numbers over one million get output
// into scientific notation. number_format() ensures this number is an integer
// http://bugs.php.net/bug.php?id=43053
$memory_limit = number_format(ceil(filesize($file) + $memory_limit), 0, '.', '');
ini_set('memory_limit', $memory_limit);
// When an integer is used, the value is measured in bytes. - PHP.net
}
// If the file being uploaded is an image, then we should have no problem with XSS attacks (in theory), but
// IE can be fooled into mime-type detecting a malformed image as an html file, thus executing an XSS attack on anyone
// using IE who looks at the image. It does this by inspecting the first 255 bytes of an image. To get around this
// CI will itself look at the first 255 bytes of an image to determine its relative safety. This can save a lot of
// processor power and time if it is actually a clean image, as it will be in nearly all instances _except_ an
// attempted XSS attack.
if (function_exists('getimagesize') && @getimagesize($file) !== FALSE) {
if (($file = @fopen($file, 'rb')) === FALSE) {
return FALSE;
// Couldn't open the file, return FALSE
}
$opening_bytes = fread($file, 256);
fclose($file);
// These are known to throw IE into mime-type detection chaos
// <a, <body, <head, <html, <img, <plaintext, <pre, <script, <table, <title
// title is basically just in SVG, but we filter it anyhow
// if it's an image or no "triggers" detected in the first 256 bytes - we're good
return !preg_match('/<(a|body|head|html|img|plaintext|pre|script|table|title)[\\s>]/i', $opening_bytes);
}
if (($data = @file_get_contents($file)) === FALSE) {
return FALSE;
}
return $this->_CI->security->xss_clean($data, TRUE);
}