summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2008-05-13 16:46:38 +0200
committerDerek Jones <derek.jones@ellislab.com>2008-05-13 16:46:38 +0200
commit000ab69f536420a0214e4d8d15898bcacf918ece (patch)
treed70f5a8b28875d6dea9603b0857f19fb8f8423bf
parente3332b0ab5dfcc42994fe4c2c1827f4e41f35c7b (diff)
Hey you! Yeah, you, that other set of hardcoded arrays in xss_clean(). You're coming with me, pal!
-rw-r--r--system/libraries/Input.php24
1 files changed, 3 insertions, 21 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index c86a3cec0..ec06101e6 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -801,30 +801,12 @@ class CI_Input {
* something got through the above filters
*
*/
- $bad = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;',
- '<![CDATA[' => '&lt;![CDATA['
- );
-
- foreach ($bad as $key => $val)
+ foreach ($this->never_allowed_str as $key => $val)
{
$str = str_replace($key, $val, $str);
}
-
- $bad = array(
- "javascript\s*:" => '[removed]',
- "expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]'
- );
-
- foreach ($bad as $key => $val)
+
+ foreach ($this->never_allowed_regex as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}