summaryrefslogtreecommitdiffstats
path: root/system/libraries/Input.php
diff options
context:
space:
mode:
authorpaulburdick <devnull@localhost>2007-06-26 23:52:52 +0200
committerpaulburdick <devnull@localhost>2007-06-26 23:52:52 +0200
commit033ef02392d70dbc873deacc50ee76a800d0d228 (patch)
treedd51eaed9c17f54d4cdb0a7ee4eca553e21f46b9 /system/libraries/Input.php
parent85d9f0c9960188aa9916c499466c32279178be41 (diff)
*Updated the XSS Filtering to take into account the IE expression() ability
Diffstat (limited to 'system/libraries/Input.php')
-rw-r--r--system/libraries/Input.php8
1 files changed, 7 insertions, 1 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 1ff72877b..dc4e605b8 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -528,9 +528,12 @@ class CI_Input {
*/
$bad = array(
'document.cookie' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
'document.write' => '[removed]',
'window.location' => '[removed]',
"javascript\s*:" => '[removed]',
+ "expression\s*\(" => '[removed]', // CSS and IE
"Redirect\s+302" => '[removed]',
'<!--' => '&lt;!--',
'-->' => '--&gt;'
@@ -626,7 +629,7 @@ class CI_Input {
* Becomes: eval&#40;'some code'&#41;
*
*/
- $str = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
+ $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2&#40;\\3&#41;", $str);
/*
* Final clean up
@@ -637,9 +640,12 @@ class CI_Input {
*/
$bad = array(
'document.cookie' => '[removed]',
+ '.parentNode' => '[removed]',
+ '.innerHTML' => '[removed]',
'document.write' => '[removed]',
'window.location' => '[removed]',
"javascript\s*:" => '[removed]',
+ "expression\s*\(" => '[removed]', // CSS and IE
"Redirect\s+302" => '[removed]',
'<!--' => '&lt;!--',
'-->' => '--&gt;'