diff options
author | Derek Jones <derek.jones@ellislab.com> | 2008-05-13 16:46:38 +0200 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2008-05-13 16:46:38 +0200 |
commit | 000ab69f536420a0214e4d8d15898bcacf918ece (patch) | |
tree | d70f5a8b28875d6dea9603b0857f19fb8f8423bf | |
parent | e3332b0ab5dfcc42994fe4c2c1827f4e41f35c7b (diff) |
Hey you! Yeah, you, that other set of hardcoded arrays in xss_clean(). You're coming with me, pal!
-rw-r--r-- | system/libraries/Input.php | 24 |
1 files changed, 3 insertions, 21 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index c86a3cec0..ec06101e6 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -801,30 +801,12 @@ class CI_Input { * something got through the above filters
*
*/
- $bad = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '<!--',
- '-->' => '-->',
- '<![CDATA[' => '<![CDATA['
- );
-
- foreach ($bad as $key => $val)
+ foreach ($this->never_allowed_str as $key => $val)
{
$str = str_replace($key, $val, $str);
}
-
- $bad = array(
- "javascript\s*:" => '[removed]',
- "expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]'
- );
-
- foreach ($bad as $key => $val)
+
+ foreach ($this->never_allowed_regex as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}
|