diff options
| author | Andrey Andreev <narf@devilix.net> | 2014-03-18 22:08:59 +0100 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2014-03-18 22:08:59 +0100 |
| commit | 46d2072e5ce0c13f3be2bd909d76eba37964740f (patch) | |
| tree | 6a022cbd743aa08c9fb79a5fcca9de371f41b574 /system/core | |
| parent | ebb3aa0edde1efd4829a3ad8dbe0eeac970794cb (diff) | |
More xss_clean() improvements
Issue described in https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37980030
+ a false positive
Diffstat (limited to 'system/core')
| -rw-r--r-- | system/core/Security.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index a4d8c95ef..17ba3bcd8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -454,7 +454,7 @@ class CI_Security { if (preg_match('/<a/i', $str)) { - $str = preg_replace_callback('#<a[^a-z0-9]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); + $str = preg_replace_callback('#<a[^a-z0-9>]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str); } if (preg_match('/<img/i', $str)) @@ -581,7 +581,7 @@ class CI_Security { $str_compare = $str; $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str); - $str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str); + $str = preg_replace('/(�*\d{2,4})(?![0-9;])/S', '$1;', $str); $str = html_entity_decode($str, ENT_COMPAT, $charset); } while ($str_compare !== $str); |