Extending CodeIgniter Security.php to enable logging

Question

TLDR; I want to enable database-logging of xss_clean() when replacing evil data.

---

I want to enable database logging of the xss_clean() function in Security.php, basically what I want to do is to know if the input I'm feeding xss_clean() with successfully was identified to have malicious data in it that was filtered out or not.

So basically:

$str = '<script>alert();</script>';
$str = xss_clean($str);

What would happen ideally for me is:

1. Clean the string from XSS
2. Return the clean $str
3. Input information about the evil data (and eventually the logged in user) to the database

As far as I can see in the Security.php-file there is nothing that takes care of this for me, or something that COULD do so by hooks etc. I might be mistaken of course.

Since no logging of how many replaces that were made in Security.php - am I forced to extend Security.php, copy pasting the current code in the original function and altering it to support this? Or is there a solution that is more clean and safe for future updates of CodeIgniter (and especially the files being tampered/extended with)?

Answer 1

You would need to extend the Security class, but there is absolutely no need to copy and paste any code if all you need is a log of the input/output. Something along the lines of the following would allow you to do so:

Class My_Security extends CI_Security {

    public function xss_clean($str, $is_image = FALSE) {
        // Do whatever you need here with the input ... ($str, $is_image)

        $str = parent::xss_clean($str, $is_image);

        // Do whatever you need here with the output ... ($str)

        return $str;
    }

}

That way, you are just wrapping the existing function and messing with the input/output. You could be more forward compatible by using the PHP function get_args to transparently pass around the arguments object, if you were concerned about changes to the underlying method.