diff options
| author | Andrey Andreev <narf@devilix.net> | 2014-02-10 12:24:44 +0100 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2014-02-10 12:24:44 +0100 |
| commit | 29e12641a1bb952f493462db6757ae12c7da1f2c (patch) | |
| tree | 15a3c42f9d8ff53615d90d88b70547c0ef662110 /system/core | |
| parent | f7f9dca050eb439028797a62eb2d4cac89daf5c5 (diff) | |
CI_Security: URL-decode until possible
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/Security.php | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 75c994ae1..beb7f56e0 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -359,7 +359,11 @@ class CI_Security { * * Note: Use rawurldecode() so it does not remove plus signs */ - $str = rawurldecode($str); + do + { + $str = rawurldecode($str); + } + while (preg_match('/%[0-9a-f]{2,}/i', $str)); /* * Convert character entities to ASCII |