summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-01-25 00:55:52 +0100
committerAndrey Andreev <narf@devilix.net>2014-01-25 00:55:52 +0100
commit12445caa95a62842f726212aaa09f897f9018f11 (patch)
tree025025b572e3dbbc93562ca1849e7f36bd854842
parent2b284f9b171ba0e0886db15772a6a62e9155f74f (diff)
Partially fix #2667
-rw-r--r--system/core/Security.php10
1 files changed, 8 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 49e5ab411..95f65e579 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -433,6 +433,12 @@ class CI_Security {
* We used to do some version comparisons and use of stripos for PHP5,
* but it is dog slow compared to these simplified non-capturing
* preg_match(), especially if the pattern exists in the string
+ *
+ * Note: It was reported that not only space characters, but all in
+ * the following pattern can be parsed as separators between a tag name
+ * and its attributes: [\d\s"\'`;,\/\=\(\x00\x0B\x09\x0C]
+ * ... however, remove_invisible_characters() above already strips the
+ * hex-encoded ones, so we'll skip them below.
*/
do
{
@@ -440,12 +446,12 @@ class CI_Security {
if (preg_match('/<a/i', $str))
{
- $str = preg_replace_callback('#<a\s+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+ $str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
}
if (preg_match('/<img/i', $str))
{
- $str = preg_replace_callback('#<img\s+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
+ $str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
}
if (preg_match('/script|xss/i', $str))