diff options
author | Andrey Andreev <narf@devilix.net> | 2014-01-22 12:26:00 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-01-22 12:26:00 +0100 |
commit | c67c3fbb8e16b1ffb79c72bb91db04fcb005b2b1 (patch) | |
tree | 164976f99b4ec312c8442ac0f33747b3593115b8 | |
parent | 4356806dc0298363217694d727db9cad84a073e0 (diff) |
CI_Security::_decode_entity() to replace dangerous HTML5 entities
Related to issue #2771
-rw-r--r-- | system/core/Security.php | 20 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 3 |
2 files changed, 21 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index eb2695801..d6356f869 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -62,6 +62,17 @@ class CI_Security { ); /** + * HTML5 entities + * + * @var array + */ + public $html5_entities = array( + ':' => ':', + '(' => '(', + ')' => ')' + ); + + /** * XSS Hash * * Random Hash for protecting URLs. @@ -810,7 +821,14 @@ class CI_Security { */ protected function _decode_entity($match) { - return $this->entity_decode($match[0], strtoupper(config_item('charset'))); + // entity_decode() won't convert dangerous HTML5 entities + // (it could, but ENT_HTML5 is only available since PHP 5.4), + // so we'll do that here + return str_ireplace( + array_keys($this->html5_entities), + array_values($this->html5_entities), + $this->entity_decode($match[0], strtoupper(config_item('charset'))) + ); } // -------------------------------------------------------------------- diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index ae2900761..513050159 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -685,7 +685,8 @@ Bug fixes for 3.0 - Fixed a bug where :doc:`User Agent Library <libraries/user_agent>` methods ``accept_charset()`` and ``accept_lang()`` didn't properly parse HTTP headers that contain spaces. - Fixed a bug where *default_controller* was called instad of triggering a 404 error if the current route is in a controller directory. - Fixed a bug (#2737) - :doc:`XML-RPC Library <libraries/xmlrpc>` used objects as array keys, which triggered E_NOTICE messages. -- Fixed a bug (#2729) - ``CI_Securty::_validate_entities()`` used overly-intrusive ``preg_replace()`` patterns that produced false-positives. +- Fixed a bug (#2729) - ``CI_Security::_validate_entities()`` used overly-intrusive ``preg_replace()`` patterns that produced false-positives. +- Fixed a bug (#2771) - ``CI_Security::xss_clean()`` didn't take into account HTML5 entities. Version 2.1.4 ============= |