diff options
| author | Documentopia.com <coding@documentopia.com> | 2014-05-06 22:26:26 +0200 |
|---|---|---|
| committer | Documentopia.com <coding@documentopia.com> | 2014-05-06 22:26:26 +0200 |
| commit | 945784173ea4dba58da528bebc53b3a24b82928f (patch) | |
| tree | e06c394402a625750b332555165d1e081c026c2d | |
| parent | 4e4f2f596700e6892b31b8b6ce987b2511a3cd98 (diff) | |
xss_clean is not protecting GET requests that &item=/startwithslash
/webacd.do?isurlact=true&entactname=/webacd.do
becomes
/webacd.do?isurlact=true&entactname;=/webacd.do
This commit adds / to the regex to it will escape those GET requests
related to issue #3030
| -rwxr-xr-x[-rw-r--r--] | system/core/Security.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 17ba3bcd8..c9258b063 100644..100755 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -862,7 +862,7 @@ class CI_Security { */ // 901119URL5918AMP18930PROTECT8198 - $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash().'\\1=\\2', $str); + $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-/]+)|i', $this->xss_hash().'\\1=\\2', $str); /* * Validate standard character entities |