summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2018-03-22 16:00:47 +0100
committerAndrey Andreev <narf@devilix.net>2018-03-22 16:00:47 +0100
commitc243df3af851fe90cd272f3958f7eb7bf76173b1 (patch)
tree83e8bda62fe6c5b40b7cd93cbc6c6c3a8214cc03 /system/core/Security.php
parentf3e19ac4990e1e3fbc6964e97e7e09e506935d6e (diff)
parent3d2073e877cb1fddbea8fcec5bc5d38b545cdcfa (diff)
Merge branch '3.1-stable' into develop
Conflicts resolved: system/core/CodeIgniter.php system/core/Security.php system/database/DB_query_builder.php system/libraries/Email.php user_guide_src/source/changelog.rst user_guide_src/source/conf.py user_guide_src/source/installation/downloads.rst user_guide_src/source/installation/upgrading.rst
Diffstat (limited to 'system/core/Security.php')
-rw-r--r--system/core/Security.php12
1 files changed, 10 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 091093637..b19a6fb02 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -545,6 +545,14 @@ class CI_Security {
$str
);
+ // Same thing, but for "tag functions" (e.g. eval`some code`)
+ // See https://github.com/bcit-ci/CodeIgniter/issues/5420
+ $str = preg_replace(
+ '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si',
+ '\\1\\2&#96;\\3&#96;',
+ $str
+ );
+
// Final clean up
// This adds a bit of extra precaution in case
// something got through the above filters
@@ -907,7 +915,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
+ '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
'',
$this->_filter_attributes($match[1])
),
@@ -935,7 +943,7 @@ class CI_Security {
return str_replace(
$match[1],
preg_replace(
- '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
+ '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
'',
$this->_filter_attributes($match[1])
),