summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2016-03-07 09:52:15 +0100
committerAndrey Andreev <narf@devilix.net>2016-03-07 09:52:15 +0100
commit3c0d8da56b8535bb3ab563256e221c81a4a96e4a (patch)
tree9311d70eb4dda8a29391eb3261de50693fec9688
parent8108b612fb80327215ae66b53c75c158d6f07e62 (diff)
Fix #4475
-rw-r--r--system/core/Security.php9
-rw-r--r--tests/codeigniter/core/Security_test.php6
-rw-r--r--user_guide_src/source/changelog.rst1
3 files changed, 13 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index bad511dd3..d5305d1ca 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -762,7 +762,14 @@ class CI_Security {
*/
public function strip_image_tags($str)
{
- return preg_replace(array('#<img[\s/]+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img[\s/]+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str);
+ return preg_replace(
+ array(
+ '#<img[\s/]+.*?src\s*=\s*(["\'])([^\\1]+?)\\1.*?\>#i',
+ '#<img[\s/]+.*?src\s*=\s*?(([^\s"\'=<>`]+)).*?\>#i'
+ ),
+ '\\2',
+ $str
+ );
}
// ----------------------------------------------------------------
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 2ef822863..8328c37cb 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -299,7 +299,8 @@ class Security_test extends CI_TestCase {
'<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />',
'<img sqrc="/img/sunset.gif" height="100%" width="100%">',
'<img srqc="/img/sunset.gif" height="100%" width="100%">',
- '<img srcq="/img/sunset.gif" height="100%" width="100%">'
+ '<img srcq="/img/sunset.gif" height="100%" width="100%">',
+ '<img src=non-quoted.attribute foo="bar">'
);
$urls = array(
@@ -310,7 +311,8 @@ class Security_test extends CI_TestCase {
'mdn-logo-sm.png',
'<img sqrc="/img/sunset.gif" height="100%" width="100%">',
'<img srqc="/img/sunset.gif" height="100%" width="100%">',
- '<img srcq="/img/sunset.gif" height="100%" width="100%">'
+ '<img srcq="/img/sunset.gif" height="100%" width="100%">',
+ 'non-quoted.attribute'
);
for ($i = 0; $i < count($imgtags); $i++)
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index d963b57dc..12d1fc4a3 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -38,6 +38,7 @@ Bug fixes for 3.0.5
- Fixed a bug (#4491) - :doc:`Session Library <libraries/sessions>` didn't clean-up internal variables for emulated locks with the 'redis' driver.
- Fixed a bug where :doc:`Session Library <libraries/sessions>` didn't clean-up internal variables for emulated locks with the 'memcached' driver.
- Fixed a bug where :doc:`Database <database/index>` transactions didn't work with the 'ibase' driver.
+- Fixed a bug (#4475) - :doc:`Security Library <libraries/security>` method ``strip_image_tags()`` preserves only the first URL character from non-quoted *src* attributes.
Version 3.0.4
=============