diff options
author | Andrey Andreev <narf@devilix.net> | 2015-09-10 11:44:50 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2015-09-10 11:44:50 +0200 |
commit | 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 (patch) | |
tree | 52ba9b618fa82bcd2ceb29e3eb362e8df17d304d | |
parent | e70238e8acd4ebdf1a3e30d63e8ffb1a46ab6d15 (diff) |
Fix #4106
-rw-r--r-- | system/core/Security.php | 4 | ||||
-rw-r--r-- | tests/codeigniter/core/Security_test.php | 8 |
2 files changed, 10 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 7c5199255..8ca66d297 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -787,11 +787,11 @@ class CI_Security { $count = $temp_count = 0; // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', '$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\4]*?)(\\4)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; // find occurrences of illegal attribute strings without quotes - $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; } while ($count); diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index bab76dffb..52bb296ad 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -146,6 +146,14 @@ class Security_test extends CI_TestCase { $this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE)); $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE)); $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE)); + $this->assertEquals( + '<foo bar=">" baz=\'\' [removed]>', + $this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan="quotes">', FALSE) + ); + $this->assertEquals( + '<foo bar=">" baz=\'\'[removed]>', + $this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan=noQuotes>', FALSE) + ); } // -------------------------------------------------------------------- |