diff options
author | Andrey Andreev <narf@devilix.net> | 2017-01-04 14:26:35 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2017-01-04 14:26:35 +0100 |
commit | 2ab1c1902711c8b0caf5c3e8f2fa825d72f6755d (patch) | |
tree | 6b1916cae83d662dbdebccc58c0c8f99530492a0 /system/core | |
parent | 2fa068d238c65cbe8e048809b1839fa0cda3123b (diff) |
Fix an XSS vulnerability
Diffstat (limited to 'system/core')
-rw-r--r-- | system/core/Security.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 8b313a9a2..d198b663b 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -499,7 +499,7 @@ class CI_Security { * Becomes: <blink> */ $pattern = '#' - .'<((?<slash>/*\s*)(?<tagName>[a-z0-9]+)(?=[^a-z0-9]|$)' // tag start and name, followed by a non-tag character + .'<((?<slash>/*\s*)((?<tagName>[a-z0-9]+)(?=[^a-z0-9]|$)|.+)' // tag start and name, followed by a non-tag character .'[^\s\042\047a-z0-9>/=]*' // a valid attribute character immediately after the tag would count as a separator // optional attributes .'(?<attributes>(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons |