summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2015-09-10 11:44:50 +0200
committerAndrey Andreev <narf@devilix.net>2015-09-10 11:44:50 +0200
commit700619cebf75c4e4fcda6a2d7bea1afb84a029e4 (patch)
tree52ba9b618fa82bcd2ceb29e3eb362e8df17d304d
parente70238e8acd4ebdf1a3e30d63e8ffb1a46ab6d15 (diff)
Fix #4106
-rw-r--r--system/core/Security.php4
-rw-r--r--tests/codeigniter/core/Security_test.php8
2 files changed, 10 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 7c5199255..8ca66d297 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -787,11 +787,11 @@ class CI_Security {
$count = $temp_count = 0;
// replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
- $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', '$1[removed]', $str, -1, $temp_count);
+ $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\4]*?)(\\4)/is', '<$1[removed]', $str, -1, $temp_count);
$count += $temp_count;
// find occurrences of illegal attribute strings without quotes
- $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '$1[removed]', $str, -1, $temp_count);
+ $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '<$1[removed]', $str, -1, $temp_count);
$count += $temp_count;
}
while ($count);
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index bab76dffb..52bb296ad 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -146,6 +146,14 @@ class Security_test extends CI_TestCase {
$this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE));
$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE));
$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE));
+ $this->assertEquals(
+ '<foo bar=">" baz=\'\' [removed]>',
+ $this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan="quotes">', FALSE)
+ );
+ $this->assertEquals(
+ '<foo bar=">" baz=\'\'[removed]>',
+ $this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan=noQuotes>', FALSE)
+ );
}
// --------------------------------------------------------------------