summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
authorFlorian Pritz <bluewind@xinu.at>2013-09-22 11:16:06 +0200
committerFlorian Pritz <bluewind@xinu.at>2013-09-22 11:44:42 +0200
commitf74af98b3dcc239fa442b6615a020e10c8d1a833 (patch)
treecd38179981b767b1fc21ab901847a2c5c09f1799 /system/core
parent8956c3aec70ccc98ce2aa95249fc0d1c70809284 (diff)
parent0f8312aa620ce68a81a2df2e393bb790970b917e (diff)
Merge tag '2.1.4'
Signed-off-by: Florian Pritz <bluewind@xinu.at> Conflicts: application/config/migration.php user_guide/changelog.html
Diffstat (limited to 'system/core')
-rw-r--r--system/core/CodeIgniter.php2
-rw-r--r--system/core/Security.php13
2 files changed, 7 insertions, 8 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php
index c16c79c09..e0819c801 100644
--- a/system/core/CodeIgniter.php
+++ b/system/core/CodeIgniter.php
@@ -33,7 +33,7 @@
* @var string
*
*/
- define('CI_VERSION', '2.1.3');
+ define('CI_VERSION', '2.1.4');
/**
* CodeIgniter Branch (Core = TRUE, Reactor = FALSE)
diff --git a/system/core/Security.php b/system/core/Security.php
index 00089d765..b0d39b981 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -619,17 +619,16 @@ class CI_Security {
$count = 0;
$attribs = array();
- // find occurrences of illegal attribute strings without quotes
- preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
+ // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
+ preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
-
$attribs[] = preg_quote($attr[0], '/');
}
- // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
- preg_match_all("/(".implode('|', $evil_attributes).")\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is", $str, $matches, PREG_SET_ORDER);
+ // find occurrences of illegal attribute strings without quotes
+ preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
foreach ($matches as $attr)
{
@@ -639,7 +638,7 @@ class CI_Security {
// replace illegal attribute strings that are inside an html tag
if (count($attribs) > 0)
{
- $str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count);
+ $str = preg_replace('/(<?)(\/?[^><]+?)([^A-Za-z<>\-])(.*?)('.implode('|', $attribs).')(.*?)([\s><]?)([><]*)/i', '$1$2 $4$6$7$8', $str, -1, $count);
}
} while ($count);
@@ -873,4 +872,4 @@ class CI_Security {
}
/* End of file Security.php */
-/* Location: ./system/libraries/Security.php */ \ No newline at end of file
+/* Location: ./system/libraries/Security.php */