diff options
author | Andrey Andreev <narf@devilix.net> | 2016-03-07 09:52:15 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2016-03-07 09:52:15 +0100 |
commit | 3c0d8da56b8535bb3ab563256e221c81a4a96e4a (patch) | |
tree | 9311d70eb4dda8a29391eb3261de50693fec9688 | |
parent | 8108b612fb80327215ae66b53c75c158d6f07e62 (diff) |
Fix #4475
-rw-r--r-- | system/core/Security.php | 9 | ||||
-rw-r--r-- | tests/codeigniter/core/Security_test.php | 6 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
3 files changed, 13 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index bad511dd3..d5305d1ca 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -762,7 +762,14 @@ class CI_Security { */ public function strip_image_tags($str) { - return preg_replace(array('#<img[\s/]+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img[\s/]+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str); + return preg_replace( + array( + '#<img[\s/]+.*?src\s*=\s*(["\'])([^\\1]+?)\\1.*?\>#i', + '#<img[\s/]+.*?src\s*=\s*?(([^\s"\'=<>`]+)).*?\>#i' + ), + '\\2', + $str + ); } // ---------------------------------------------------------------- diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index 2ef822863..8328c37cb 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -299,7 +299,8 @@ class Security_test extends CI_TestCase { '<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />', '<img sqrc="/img/sunset.gif" height="100%" width="100%">', '<img srqc="/img/sunset.gif" height="100%" width="100%">', - '<img srcq="/img/sunset.gif" height="100%" width="100%">' + '<img srcq="/img/sunset.gif" height="100%" width="100%">', + '<img src=non-quoted.attribute foo="bar">' ); $urls = array( @@ -310,7 +311,8 @@ class Security_test extends CI_TestCase { 'mdn-logo-sm.png', '<img sqrc="/img/sunset.gif" height="100%" width="100%">', '<img srqc="/img/sunset.gif" height="100%" width="100%">', - '<img srcq="/img/sunset.gif" height="100%" width="100%">' + '<img srcq="/img/sunset.gif" height="100%" width="100%">', + 'non-quoted.attribute' ); for ($i = 0; $i < count($imgtags); $i++) diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index d963b57dc..12d1fc4a3 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -38,6 +38,7 @@ Bug fixes for 3.0.5 - Fixed a bug (#4491) - :doc:`Session Library <libraries/sessions>` didn't clean-up internal variables for emulated locks with the 'redis' driver. - Fixed a bug where :doc:`Session Library <libraries/sessions>` didn't clean-up internal variables for emulated locks with the 'memcached' driver. - Fixed a bug where :doc:`Database <database/index>` transactions didn't work with the 'ibase' driver. +- Fixed a bug (#4475) - :doc:`Security Library <libraries/security>` method ``strip_image_tags()`` preserves only the first URL character from non-quoted *src* attributes. Version 3.0.4 ============= |