diff options
author | Andrey Andreev <narf@devilix.net> | 2016-09-27 13:59:37 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2016-09-27 13:59:37 +0200 |
commit | eea02de557834006c5d6a0bfccca7f39e75bf3a8 (patch) | |
tree | ae9800d9d0f358b9df53d559f9eaa95b7b3df218 /system/core/Security.php | |
parent | 8a15f5af819424087b6676709d98de6fa5fc6115 (diff) |
Fix entity_decode() issue
Diffstat (limited to 'system/core/Security.php')
-rw-r--r-- | system/core/Security.php | 39 |
1 files changed, 22 insertions, 17 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 3a5da4fde..4a69daa18 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -669,6 +669,22 @@ class CI_Security { ? ENT_COMPAT | ENT_HTML5 : ENT_COMPAT; + if ( ! isset($_entities)) + { + $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset)); + + // If we're not on PHP 5.4+, add the possibly dangerous HTML 5 + // entities to the array manually + if ($flag === ENT_COMPAT) + { + $_entities[':'] = ':'; + $_entities['('] = '('; + $_entities[')'] = ')'; + $_entities["\n"] = '
'; + $_entities["\t"] = '	'; + } + } + do { $str_compare = $str; @@ -676,22 +692,6 @@ class CI_Security { // Decode standard entities, avoiding false positives if (preg_match_all('/&[a-z]{2,}(?![a-z;])/i', $str, $matches)) { - if ( ! isset($_entities)) - { - $_entities = array_map('strtolower', get_html_translation_table(HTML_ENTITIES, $flag, $charset)); - - // If we're not on PHP 5.4+, add the possibly dangerous HTML 5 - // entities to the array manually - if ($flag === ENT_COMPAT) - { - $_entities[':'] = ':'; - $_entities['('] = '('; - $_entities[')'] = ')'; - $_entities["\n"] = '&newline;'; - $_entities["\t"] = '&tab;'; - } - } - $replace = array(); $matches = array_unique(array_map('strtolower', $matches[0])); foreach ($matches as &$match) @@ -702,7 +702,7 @@ class CI_Security { } } - $str = str_ireplace(array_keys($replace), array_values($replace), $str); + $str = str_replace(array_keys($replace), array_values($replace), $str); } // Decode numeric & UTF16 two byte entities @@ -711,6 +711,11 @@ class CI_Security { $flag, $charset ); + + if ($flag === ENT_COMPAT) + { + $str = str_replace(array_values($_entities), array_keys($_entities), $str); + } } while ($str_compare !== $str); return $str; |