summaryrefslogtreecommitdiffstats
path: root/system/libraries/Input.php
diff options
context:
space:
mode:
authorpaulburdick <devnull@localhost>2007-06-28 00:58:24 +0200
committerpaulburdick <devnull@localhost>2007-06-28 00:58:24 +0200
commit391eb03004deee85b9b0e978982950723b9742b5 (patch)
treeb38e7b62506a20de8f406cb5810d636478bdcb05 /system/libraries/Input.php
parentb614d392ccafd1decadbdc11afd7c0dcc4baec34 (diff)
Improved XSS clean to not allowing this:
xss_clean("<x<xss>ss <scr<xss>ipt a='>'>alert/**/('!');//*/</script</script >>");
Diffstat (limited to 'system/libraries/Input.php')
-rw-r--r--system/libraries/Input.php16
1 files changed, 12 insertions, 4 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 51d4ed288..f9d23ae79 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -588,10 +588,18 @@ class CI_Input {
/*
* Remove disallowed Javascript in links or img tags
- */
- $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
- $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
- $str = preg_replace("#<(script|xss).*?\>#si", "", $str);
+ */
+ do
+ {
+ $original = $str;
+
+ $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
+ $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
+ $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
+ }
+ while($original != $str);
+
+ unset($original);
/*
* Remove JavaScript Event Handlers