diff options
author | Andrey Andreev <narf@devilix.net> | 2014-01-24 13:28:47 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-01-24 13:28:47 +0100 |
commit | 98d6cc84718f471b150bb4e1ec93a7c89a967f69 (patch) | |
tree | bf7bc5507eb0ea6f9372d7d15c88069d32798f40 /system/core | |
parent | de1fe7d504898bc6a42e24b4c73da3887a9933d6 (diff) | |
parent | ecc260e0be0cdb55c4e4802b78ddd78b0d8b0ebc (diff) |
Merge branch 'develop' into feature/user-guide-cleanup
Diffstat (limited to 'system/core')
-rw-r--r-- | system/core/Security.php | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 95957a3d8..d6356f869 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -62,6 +62,17 @@ class CI_Security { ); /** + * HTML5 entities + * + * @var array + */ + public $html5_entities = array( + ':' => ':', + '(' => '(', + ')' => ')' + ); + + /** * XSS Hash * * Random Hash for protecting URLs. @@ -134,7 +145,7 @@ class CI_Security { '(document|(document\.)?window)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! - 'Redirect\s+302', + 'Redirect\s+30\d', "([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?" ); @@ -456,7 +467,7 @@ class CI_Security { * So this: <blink> * Becomes: <blink> */ - $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; + $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); /* @@ -810,7 +821,14 @@ class CI_Security { */ protected function _decode_entity($match) { - return $this->entity_decode($match[0], strtoupper(config_item('charset'))); + // entity_decode() won't convert dangerous HTML5 entities + // (it could, but ENT_HTML5 is only available since PHP 5.4), + // so we'll do that here + return str_ireplace( + array_keys($this->html5_entities), + array_values($this->html5_entities), + $this->entity_decode($match[0], strtoupper(config_item('charset'))) + ); } // -------------------------------------------------------------------- |