summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorbrian978 <dbrian89@yahoo.com>2012-12-10 12:58:10 +0100
committerbrian978 <dbrian89@yahoo.com>2012-12-10 12:58:10 +0100
commitea52015e1f3ae610137fd6acf78dd51c93f69a2b (patch)
tree3116c48a385037159abb176b95153104588cd0d9 /system/core/Security.php
parent2c70fec8c697caaea0ee74392847a6a6204eea01 (diff)
parent0a83fcc748ef29e644bf9e8cac4d7dd9a7408d5f (diff)
Merge branch 'dev/xss' into develop
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 220188edc..635f9ff31 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -329,7 +329,7 @@ class CI_Security {
* these are the ones that will pose security problems.
*/
$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
- $str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str);
+ $str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str);
// Remove Invisible Characters Again!
$str = remove_invisible_characters($str);