More XSS stuff

author: Andrey Andreev <narf@devilix.net> 2015-10-02 15:44:05 +0200
committer: Andrey Andreev <narf@devilix.net> 2015-10-02 15:44:05 +0200
commit: 249580e711d42fe966e52d7bcc0f349ba99a94a3 (patch)
tree: 7c323912f4e7c38c546219fe21e0839dfac7519b /system/core
parent: f084acf240253f396d4a9787fed93a13d5771f46 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 0cae23a79..27471d98e 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -808,7 +808,7 @@ class CI_Security {
 				.'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons
 				.'(?<name>[^\s\042\047>/=]+)' // attribute characters
 				// optional attribute-value
-				.'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator
+				.'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator
 				.'#i';
 
 			if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
author	Andrey Andreev <narf@devilix.net>	2015-10-02 15:44:05 +0200
committer	Andrey Andreev <narf@devilix.net>	2015-10-02 15:44:05 +0200
commit	249580e711d42fe966e52d7bcc0f349ba99a94a3 (patch)
tree	7c323912f4e7c38c546219fe21e0839dfac7519b /system/core
parent	f084acf240253f396d4a9787fed93a13d5771f46 (diff)