diff options
| author | Andrey Andreev <narf@devilix.net> | 2015-10-02 15:44:05 +0200 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2015-10-02 15:44:05 +0200 |
| commit | 249580e711d42fe966e52d7bcc0f349ba99a94a3 (patch) | |
| tree | 7c323912f4e7c38c546219fe21e0839dfac7519b | |
| parent | f084acf240253f396d4a9787fed93a13d5771f46 (diff) | |
More XSS stuff
| -rw-r--r-- | system/core/Security.php | 2 | ||||
| -rw-r--r-- | tests/codeigniter/core/Security_test.php | 7 |
2 files changed, 7 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 0cae23a79..27471d98e 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -808,7 +808,7 @@ class CI_Security { .'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons .'(?<name>[^\s\042\047>/=]+)' // attribute characters // optional attribute-value - .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator + .'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator .'#i'; if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index ca111c3bf..b093393af 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -162,7 +162,7 @@ class Security_test extends CI_TestCase { { $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">')); $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>')); - $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>')); + $this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>')); $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">')); $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>')); $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); @@ -207,6 +207,11 @@ class Security_test extends CI_TestCase { '<image src="<>" [removed]>', $this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>') ); + + $this->assertEquals( + '<b "=<= [removed]>', + $this->security->xss_clean('<b "=<= onmouseover=alert(1)>') + ); } // -------------------------------------------------------------------- |