summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2017-01-04 14:26:35 +0100
committerAndrey Andreev <narf@devilix.net>2017-01-04 14:26:35 +0100
commit2ab1c1902711c8b0caf5c3e8f2fa825d72f6755d (patch)
tree6b1916cae83d662dbdebccc58c0c8f99530492a0 /system/core
parent2fa068d238c65cbe8e048809b1839fa0cda3123b (diff)
Fix an XSS vulnerability
Diffstat (limited to 'system/core')
-rw-r--r--system/core/Security.php2
1 files changed, 1 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 8b313a9a2..d198b663b 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -499,7 +499,7 @@ class CI_Security {
* Becomes: &lt;blink&gt;
*/
$pattern = '#'
- .'<((?<slash>/*\s*)(?<tagName>[a-z0-9]+)(?=[^a-z0-9]|$)' // tag start and name, followed by a non-tag character
+ .'<((?<slash>/*\s*)((?<tagName>[a-z0-9]+)(?=[^a-z0-9]|$)|.+)' // tag start and name, followed by a non-tag character
.'[^\s\042\047a-z0-9>/=]*' // a valid attribute character immediately after the tag would count as a separator
// optional attributes
.'(?<attributes>(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons