summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2015-10-02 15:44:05 +0200
committerAndrey Andreev <narf@devilix.net>2015-10-02 15:44:05 +0200
commit249580e711d42fe966e52d7bcc0f349ba99a94a3 (patch)
tree7c323912f4e7c38c546219fe21e0839dfac7519b
parentf084acf240253f396d4a9787fed93a13d5771f46 (diff)
More XSS stuff
-rw-r--r--system/core/Security.php2
-rw-r--r--tests/codeigniter/core/Security_test.php7
2 files changed, 7 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 0cae23a79..27471d98e 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -808,7 +808,7 @@ class CI_Security {
.'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons
.'(?<name>[^\s\042\047>/=]+)' // attribute characters
// optional attribute-value
- .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator
+ .'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator
.'#i';
if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index ca111c3bf..b093393af 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -162,7 +162,7 @@ class Security_test extends CI_TestCase {
{
$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
- $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+ $this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
@@ -207,6 +207,11 @@ class Security_test extends CI_TestCase {
'<image src="<>" [removed]>',
$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
);
+
+ $this->assertEquals(
+ '<b "=<= [removed]>',
+ $this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
+ );
}
// --------------------------------------------------------------------