diff options
| author | Andrey Andreev <narf@devilix.net> | 2015-09-11 14:21:10 +0200 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2015-09-11 14:21:10 +0200 |
| commit | 2f71c625b8d9ed7efc34b2139695702d6a08f6be (patch) | |
| tree | 983967ee5a0b7d4f8d1cbfd7bf6ed5ace71a39af /system/core/Security.php | |
| parent | 58c7bcb85c1a354e1eaebae8ef658516f427378d (diff) | |
Improve on previous commit
Diffstat (limited to 'system/core/Security.php')
| -rw-r--r-- | system/core/Security.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 829aac7d2..ca0991ac4 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -795,7 +795,7 @@ class CI_Security { .')*' // end optional attributes group .')' // end catching evil attribute prefix // evil attribute starts here - .'([\s\042\047>/=]+' // non-attribute characters (we'll replace that with a single space) + .'([\s\042\047/=]+' // non-attribute characters (we'll replace that with a single space), again excluding '>' .'('.implode('|', $evil_attributes).')' .'\s*=\s*' // attribute-value separator .'(\042[^042]+\042|\047[^047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes |