summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-01-20 10:17:34 +0100
committerAndrey Andreev <narf@devilix.net>2014-01-20 10:17:34 +0100
commit4d0571666d03511ac5b4a1f2a6882ccb1509a209 (patch)
tree521e0a86a9ee850cea9f3a8bd9138eb28a469462 /system/core/Security.php
parent3aecedbbb017567925f76ae68b726bd22b4cc80c (diff)
Fix #2729
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php5
1 files changed, 3 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 4c01da2b8..95957a3d8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -837,14 +837,15 @@ class CI_Security {
* Add a semicolon if missing. We do this to enable
* the conversion of entities to ASCII later.
*/
- $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str);
+ $str = preg_replace('/(&#\d{2,4})(?![0-9;])/', '$1;', $str);
+ $str = preg_replace('/(&[a-z]{2,})(?![a-z;])/i', '$1;', $str);
/*
* Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
*/
- $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str);
+ $str = preg_replace('/(&#x0*[0-9a-f]{2,5})(?![0-9a-f;])/i', '$1;', $str);
/*
* Un-Protect GET variables in URLs