Merge branch 'develop' into feature/user-guide-cleanup

2 files changed, 6 insertions, 3 deletions

diff --git a/system/core/Common.php b/system/core/Common.php
index 00e303098..cfc63c2aa 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -76,6 +76,7 @@ if ( ! function_exists('is_really_writable'))
 	 * the file, based on the read-only attribute. is_writable() is also unreliable
 	 * on Unix servers if safe_mode is on.
 	 *
+	 * @link	https://bugs.php.net/bug.php?id=54709
 	 * @param	string
 	 * @return	void
 	 */
diff --git a/system/core/Security.php b/system/core/Security.php
index d6356f869..49e5ab411 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -69,7 +69,9 @@ class CI_Security {
 	public $html5_entities = array(
 		':'	=> ':',
 		'('	=> '(',
-		')'	=> ')'
+		')'	=> ')',
+		'&newline;'	=> "\n",
+		'&tab;'		=> "\t"
 	);
 
 	/**
@@ -467,7 +469,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|svg|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
@@ -660,7 +662,7 @@ class CI_Security {
 	protected function _remove_evil_attributes($str, $is_image)
 	{
 		// Formaction, style, and xmlns
-		$evil_attributes = array('style', 'xmlns', 'formaction');
+		$evil_attributes = array('style', 'xmlns', 'formaction', 'form', 'xlink:href');
 
 		if ($is_image === TRUE)
 		{