summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2016-10-28 16:46:31 +0200
committerAndrey Andreev <narf@devilix.net>2016-10-28 16:46:31 +0200
commit57fa143448577b670d8dd0e02b6e4cf31c4a7cff (patch)
tree32599fec5bf13cc84b61a065e12c02de4a4227f8
parente02ebabb19242e1cfc6b37217bc799ff7591e941 (diff)
[ci skip] xss_clean() hardening
- percent-sign tag (IE) - data: URI scheme inclinding whitespace (Chrome)
-rw-r--r--system/core/Security.php21
-rw-r--r--user_guide_src/source/changelog.rst2
2 files changed, 12 insertions, 11 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index b9160a252..d0308c5f9 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -133,15 +133,16 @@ class CI_Security {
* @var array
*/
protected $_never_allowed_str = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;',
- '<![CDATA[' => '&lt;![CDATA[',
- '<comment>' => '&lt;comment&gt;'
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;',
+ '<![CDATA[' => '&lt;![CDATA[',
+ '<comment>' => '&lt;comment&gt;',
+ '<%' => '&lt;&#37;'
);
/**
@@ -924,7 +925,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
+ '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
'',
$this->_filter_attributes($match[1])
),
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 4be0b31d3..2482c493c 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -9,7 +9,7 @@ Release Date: Not Released
- **Security**
- - Fixed a new URL-encoding attack vector in :doc:`Security Library <libraries/security>` method ``xss_clean()`` affecting Firefox.
+ - Fixed a number of new vulnerabilities in :doc:`Security Library <libraries/security>` method ``xss_clean()``.
- General Changes