diff options
author | paulburdick <devnull@localhost> | 2007-06-28 00:58:24 +0200 |
---|---|---|
committer | paulburdick <devnull@localhost> | 2007-06-28 00:58:24 +0200 |
commit | 391eb03004deee85b9b0e978982950723b9742b5 (patch) | |
tree | b38e7b62506a20de8f406cb5810d636478bdcb05 | |
parent | b614d392ccafd1decadbdc11afd7c0dcc4baec34 (diff) |
Improved XSS clean to not allowing this:
xss_clean("<x<xss>ss <scr<xss>ipt a='>'>alert/**/('!');//*/</script</script >>");
-rw-r--r-- | system/libraries/Input.php | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 51d4ed288..f9d23ae79 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -588,10 +588,18 @@ class CI_Input { /*
* Remove disallowed Javascript in links or img tags
- */
- $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
- $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
- $str = preg_replace("#<(script|xss).*?\>#si", "", $str);
+ */
+ do
+ {
+ $original = $str;
+
+ $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
+ $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
+ $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
+ }
+ while($original != $str);
+
+ unset($original);
/*
* Remove JavaScript Event Handlers
|