Add <button> to the list of 'naugthy' html elements in CI_Security::xss_clean()

author: Andrey Andreev <narf@devilix.net> 2014-01-21 22:52:31 +0100
committer: Andrey Andreev <narf@devilix.net> 2014-01-21 22:52:31 +0100
commit: 4356806dc0298363217694d727db9cad84a073e0 (patch)
tree: 16109f0ecca2963cbc3085c50a37638b00dbcdda /system/core/Security.php
parent: 1a9a4dc55112d264a61e1c50cf52733c993e0e52 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 95957a3d8..eb2695801 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -134,7 +134,7 @@ class CI_Security {
 		'(document|(document\.)?window)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
-		'Redirect\s+302',
+		'Redirect\s+30\d',
 		"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
 	);
 
@@ -456,7 +456,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
author	Andrey Andreev <narf@devilix.net>	2014-01-21 22:52:31 +0100
committer	Andrey Andreev <narf@devilix.net>	2014-01-21 22:52:31 +0100
commit	4356806dc0298363217694d727db9cad84a073e0 (patch)
tree	16109f0ecca2963cbc3085c50a37638b00dbcdda /system/core/Security.php
parent	1a9a4dc55112d264a61e1c50cf52733c993e0e52 (diff)