1. class
  2. XELOS
  3. \
  4. Framework
  5. \
  6. XF
  7. \
  8. Lib
  9. \
  10. Sec

Sec

class Sec

Class Sec

Constants

JWT_ALG_HS256

JWT_ALG_RS256

JWT_ALG_UNSUPPORTED

Methods

aes_decrypt($string, $key = false) deprecated

No description

string
aes_decrypt_ctr(string $string, string $key = null)

AES Counter Decryption (PHP Based)

string
aes_encrypt($string, $key = false) deprecated

encrypts a string and returns a binary string

string
aes_encrypt_ctr(string $string, string $key = null)

AES Counter Encryption (PHP Based)

string
calculate_totp_code($secret, null $timeSlice = null)

Calculate TOTP based on https://github.com/Dolondro/google-authenticator/blob/master/src/GoogleAuthenticator.php

mixed
execute_circumventing_rights(Closure|callable $callback, array $params = [])

Executes a given callback in CMD mode, thus circumventing any rights DO NOT USE LIGHTLY!!! This primarily aims at allowing reference and link resolval!

string|string[]
filename($filename)

Make sure a filename does not contain any directory characters to prevent unallowed traversals

string
generateJWTToken(string $secret, User $user = null, array $customPayload = [])

Generates a JWT Token.

string
generate_password(int $length = 8, int $strength = 7)

Wrapper for pronouncable password

string
generate_pronouncable_password(int $length = 8, int $strength = 7)

Generate pronouncable password

generate_random_password(int $length = 8, int $strength = 7)

Returns a generated password string

string
generate_totp_secret()

Generates a Secret for TOTP Authentication

static string|null
getJWTAlgorithm(string $JWT)

Determine JWT Algorithm

int
get_password_score(mixed $password)

Check how good a password is (Score > 4 is acceptable, Score > 7 is good)

init()

No description

string|null
input(string $string, array $options = array('xss', 'sql'))

Filter INPUT based on certain rules:

  • XSS: Encode ALL Special Chars ('"<>& and chars with ASCII value less 32)

array
input_array(array $array, string $filterType = 'intcast')

Takes an array and casts values / escapes values according to type

bool
isValidJWTToken(string $token, string|resource $secretOrPublicKeyInfo = null, string|null $alg = self::JWT_ALG_HS256, array $header = [], array $payload = [])

Will check the standard security criteria of the supplied JWT Token If no security (expiration, signature) is provided, this method will only decode the token

bool
isValidUUID(string $uuid)

Check if this looks like a valid uuid (32 chars, hex only)

iv_decrypt()

No description

iv_encrypt($string)

No description

string
sanitizeHtmlToMarkdown(string $htmlString, bool $allowImages = true, bool $allowHTML = false, bool $allowMentions = true)

Sanitize/Convert HTML to Markdown

void
sendCommonSecurityHeaders()

This function will automatically send common security headers which are applicable based on configuration and currently known environmnet

sendContentSecurityPolicyHeader()

Send CSP Header

bool
sendContentSecurityPolicyHeaderForUserUpload(string $fileExtension = null)

Send CSP Headers for files that are user uploads to prevent persistent XSS attacks when users upload files Function will send headers based on filetype and system configuration

void
sendStrictTransportSecurityHeader()

Strict Transport Security Header tell the browser to always access this site via https

Details

at line 190
aes_decrypt($string, $key = false) deprecated

deprecated User aes_decrypt_ctr

No description

Parameters

$string
$key

at line 241
string aes_decrypt_ctr(string $string, string $key = null)

AES Counter Decryption (PHP Based)

Parameters

string $string

(Output from aes_encrypt_ctr, with included ::random bytes param)
string $key

Optional Key Extension

Return Value

string decrypted

at line 178
string aes_encrypt($string, $key = false) deprecated

deprecated Use aes_encrypt_ctr

encrypts a string and returns a binary string

Parameters

$string
$key

Return Value

string

encrypted string

at line 206
string aes_encrypt_ctr(string $string, string $key = null)

AES Counter Encryption (PHP Based)

Parameters

string $string
string $key

Optional Key Extension

Return Value

string encrypted

at line 414
string calculate_totp_code($secret, null $timeSlice = null)

Calculate TOTP based on https://github.com/Dolondro/google-authenticator/blob/master/src/GoogleAuthenticator.php

Parameters

$secret
null $timeSlice

Return Value

string

at line 382
mixed execute_circumventing_rights(Closure|callable $callback, array $params = [])

Executes a given callback in CMD mode, thus circumventing any rights DO NOT USE LIGHTLY!!! This primarily aims at allowing reference and link resolval!

Parameters

Closure|callable $callback
array $params

Return Value

mixed

at line 630
string|string[] filename($filename)

Make sure a filename does not contain any directory characters to prevent unallowed traversals

Parameters

$filename

Return Value

string|string[]

at line 477
string generateJWTToken(string $secret, User $user = null, array $customPayload = [])

Generates a JWT Token.

Parameters

string $secret
User $user
array $customPayload

Allowing to add or override payload of JWT Token

Return Value

string

See also

https://dev.to/robdwaller/how-to-create-a-json-web-token-using-php-3gml for a JWT PHP How-to
https://jwt.io/ to test the generated JWT

at line 263
string generate_password(int $length = 8, int $strength = 7)

Wrapper for pronouncable password

Parameters

int $length

Length of the password
int $strength

Strength of the password (Set as bits: 1-include Capital Consonants, 2-include capital vowels, 4-include numbers, 8-include special chars)

Return Value

string Password

at line 299
string generate_pronouncable_password(int $length = 8, int $strength = 7)

Generate pronouncable password

Parameters

int $length

Length of the password
int $strength

Strength of the password (Set as bits: 1-include Capital Consonants, 2-include capital vowels, 4-include numbers, 8-include special chars)

Return Value

string Password

at line 273
generate_random_password(int $length = 8, int $strength = 7)

Returns a generated password string

Parameters

int $length
int $strength

Strength of the password (Set as bits: 1-include Capital Consonants, 2-include capital vowels, 4-include numbers, 8-include special chars)

at line 445
string generate_totp_secret()

Generates a Secret for TOTP Authentication

Return Value

string

Base32 Secret to be used in TOTP Methods

at line 517
static string|null getJWTAlgorithm(string $JWT)

Determine JWT Algorithm

Parameters

string $JWT

Return Value

string|null

should be HS256 or RS256

at line 343
int get_password_score(mixed $password)

Check how good a password is (Score > 4 is acceptable, Score > 7 is good)

Parameters

mixed $password

Return Value

int

score (0 - 12)

at line 16
init()

No description

at line 31
string|null input(string $string, array $options = array('xss', 'sql'))

Filter INPUT based on certain rules:

  • XSS: Encode ALL Special Chars ('"<>& and chars with ASCII value less 32)

Parameters

string $string

array of strings or a string to escape
array $options

Array or simple string like 'sql', 'xss', 'filename', 'nohtml'

Return Value

string|null

escaped string

at line 99
array input_array(array $array, string $filterType = 'intcast')

Takes an array and casts values / escapes values according to type

Parameters

array $array

1-Dim Array
string $filterType

(intcast, sql, xss)

Return Value

array

at line 538
bool isValidJWTToken(string $token, string|resource $secretOrPublicKeyInfo = null, string|null $alg = self::JWT_ALG_HS256, array $header = [], array $payload = [])

Will check the standard security criteria of the supplied JWT Token If no security (expiration, signature) is provided, this method will only decode the token

Parameters

string $token

The RAW encoded token, e.g. abd3ad.aAD4ad.a9dadkmc-as-ad_d
string|resource $secretOrPublicKeyInfo

Supply Secret for HS256, Supply PublicKey or URL to Keys for RS256
string|null $alg

HS256 or RS256 are supported
array $header
array $payload

Return Value

bool

at line 754
bool isValidUUID(string $uuid)

Check if this looks like a valid uuid (32 chars, hex only)

Parameters

string $uuid

Return Value

bool

at line 462
iv_decrypt()

No description

at line 458
iv_encrypt($string)

No description

Parameters

$string

at line 143
string sanitizeHtmlToMarkdown(string $htmlString, bool $allowImages = true, bool $allowHTML = false, bool $allowMentions = true)

Sanitize/Convert HTML to Markdown

Parameters

string $htmlString
bool $allowImages

Specify if images are expected to be allowed
bool $allowHTML

Specify if html artifacts may remain, should only be true for editor content
bool $allowMentions

Are you expecting mentions? Mentions will be converted to JSON

Return Value

string Markdown

at line 671
void sendCommonSecurityHeaders()

This function will automatically send common security headers which are applicable based on configuration and currently known environmnet

Return Value

void

at line 694
sendContentSecurityPolicyHeader()

Send CSP Header

at line 642
bool sendContentSecurityPolicyHeaderForUserUpload(string $fileExtension = null)

Send CSP Headers for files that are user uploads to prevent persistent XSS attacks when users upload files Function will send headers based on filetype and system configuration

Parameters

string $fileExtension

(e.g. pdf or .pdf )

Return Value

bool

at line 740
void sendStrictTransportSecurityHeader()

Strict Transport Security Header tell the browser to always access this site via https

Return Value

void