diff options
author | Andrey Andreev <narf@devilix.net> | 2014-01-07 11:45:27 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-01-07 11:45:27 +0100 |
commit | 1bbc5644b0c306ff72dc1228b169db56902fc031 (patch) | |
tree | 2741549bddcfec682d6e05f402f825c1d3fa1c61 | |
parent | dc53d7b68adc6fdc8d0917ee2d29f5670ff82b45 (diff) |
Fix #2268 (manually implementing PR #2269)
-rw-r--r-- | system/core/Security.php | 6 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 1 |
2 files changed, 4 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 9423f825c..0944fef92 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -117,7 +117,6 @@ class CI_Security { 'document.write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', - 'window.location' => '[removed]', '-moz-binding' => '[removed]', '<!--' => '<!--', '-->' => '-->', @@ -132,6 +131,7 @@ class CI_Security { */ protected $_never_allowed_regex = array( 'javascript\s*:', + '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'Redirect\s+302', @@ -648,8 +648,8 @@ class CI_Security { */ protected function _remove_evil_attributes($str, $is_image) { - // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns - $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction'); + // Formaction, style, and xmlns + $evil_attributes = array('style', 'xmlns', 'formaction'); if ($is_image === TRUE) { diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 27031b941..892bbfbdf 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -636,6 +636,7 @@ Bug fixes for 3.0 - Fixed a bug (#2756) - :doc:`Database Class <database/index>` executed the MySQL-specific `SET SESSION sql_mode` query for all drivers when the 'stricton' option is set. - Fixed a bug (#2579) - :doc:`Query Builder <database/query_builder>`s "no escape" functionality didn't work properly with query cache. - Fixed a bug (#2237) - :doc:`Parser Library <libraries/parser>` failed if the same tag pair is used more than once within a template. +- Fixed a bug (#2268) - :doc:`Security Library <libraries/security>` didn't properly match JavaScript events. Version 2.1.4 ============= |