Move _remove_evil_attributes() call

2 files changed, 17 insertions, 4 deletions

diff --git a/system/core/Security.php b/system/core/Security.php
index ade77491d..dd3b2c8f0 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -480,12 +480,8 @@ class CI_Security {
 			}
 		}
 		while ($original !== $str);
-
 		unset($original);
 
-		// Remove evil attributes such as style, onclick and xmlns
-		$str = $this->_remove_evil_attributes($str, $is_image);
-
 		/*
 		 * Sanitize naughty HTML elements
 		 *
@@ -518,6 +514,9 @@ class CI_Security {
 		while ($old_str !== $str);
 		unset($old_str);
 
+		// Remove evil attributes such as style, onclick and xmlns
+		$str = $this->_remove_evil_attributes($str, $is_image);
+
 		/*
 		 * Sanitize naughty scripting elements
 		 *
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 9437ececc..2e9cd01c4 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -178,6 +178,20 @@ class Security_test extends CI_TestCase {
 
 	// --------------------------------------------------------------------
 
+	/**
+	 * @depends test_xss_clean_sanitize_naughty_html
+	 * @depends test_remove_evil_attributes
+	 */
+	public function test_naughty_html_plus_evil_attributes()
+	{
+		$this->assertEquals(
+			'&lt;svg<img &gt; src="x" [removed]>',
+			$this->security->xss_clean('<svg<img > src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">')
+		);
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_xss_hash()
 	{
 		$this->assertEmpty($this->security->xss_hash);