summaryrefslogtreecommitdiffstats
path: root/system/core
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-01-24 13:28:47 +0100
committerAndrey Andreev <narf@devilix.net>2014-01-24 13:28:47 +0100
commit98d6cc84718f471b150bb4e1ec93a7c89a967f69 (patch)
treebf7bc5507eb0ea6f9372d7d15c88069d32798f40 /system/core
parentde1fe7d504898bc6a42e24b4c73da3887a9933d6 (diff)
parentecc260e0be0cdb55c4e4802b78ddd78b0d8b0ebc (diff)
Merge branch 'develop' into feature/user-guide-cleanup
Diffstat (limited to 'system/core')
-rw-r--r--system/core/Security.php24
1 files changed, 21 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index 95957a3d8..d6356f869 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -62,6 +62,17 @@ class CI_Security {
);
/**
+ * HTML5 entities
+ *
+ * @var array
+ */
+ public $html5_entities = array(
+ '&colon;' => ':',
+ '&lpar;' => '(',
+ '&rpar;' => ')'
+ );
+
+ /**
* XSS Hash
*
* Random Hash for protecting URLs.
@@ -134,7 +145,7 @@ class CI_Security {
'(document|(document\.)?window)\.(location|on\w*)',
'expression\s*(\(|&\#40;)', // CSS and IE
'vbscript\s*:', // IE, surprise!
- 'Redirect\s+302',
+ 'Redirect\s+30\d',
"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
);
@@ -456,7 +467,7 @@ class CI_Security {
* So this: <blink>
* Becomes: &lt;blink&gt;
*/
- $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
+ $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
/*
@@ -810,7 +821,14 @@ class CI_Security {
*/
protected function _decode_entity($match)
{
- return $this->entity_decode($match[0], strtoupper(config_item('charset')));
+ // entity_decode() won't convert dangerous HTML5 entities
+ // (it could, but ENT_HTML5 is only available since PHP 5.4),
+ // so we'll do that here
+ return str_ireplace(
+ array_keys($this->html5_entities),
+ array_values($this->html5_entities),
+ $this->entity_decode($match[0], strtoupper(config_item('charset')))
+ );
}
// --------------------------------------------------------------------