Fix #2729

2 files changed, 4 insertions, 2 deletions

diff --git a/system/core/Security.php b/system/core/Security.php
index 4c01da2b8..95957a3d8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -837,14 +837,15 @@ class CI_Security {
 		 * Add a semicolon if missing.  We do this to enable
 		 * the conversion of entities to ASCII later.
 		 */
-		$str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str);
+		$str = preg_replace('/(&#\d{2,4})(?![0-9;])/', '$1;', $str);
+		$str = preg_replace('/(&[a-z]{2,})(?![a-z;])/i', '$1;', $str);
 
 		/*
 		 * Validate UTF16 two byte encoding (x00)
 		 *
 		 * Just as above, adds a semicolon if missing.
 		 */
-		$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str);
+		$str = preg_replace('/(&#x0*[0-9a-f]{2,5})(?![0-9a-f;])/i', '$1;', $str);
 
 		/*
 		 * Un-Protect GET variables in URLs
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 4d93091f1..c68258e1c 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -681,6 +681,7 @@ Bug fixes for 3.0
 -  Fixed a bug where :doc:`User Agent Library <libraries/user_agent>` methods ``accept_charset()`` and ``accept_lang()`` didn't properly parse HTTP headers that contain spaces.
 -  Fixed a bug where *default_controller* was called instad of triggering a 404 error if the current route is in a controller directory.
 -  Fixed a bug (#2737) - :doc:`XML-RPC Library <libraries/xmlrpc>` used objects as array keys, which triggered E_NOTICE messages.
+-  Fixed a bug (#2729) - ``CI_Securty::_validate_entities()`` used overly-intrusive ``preg_replace()`` patterns that produced false-positives.
 
 Version 2.1.4
 =============