summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2007-07-12 15:10:42 +0200
committerDerek Jones <derek.jones@ellislab.com>2007-07-12 15:10:42 +0200
commit48bb32aece18e9dce381602e242609adfc71b0d0 (patch)
tree49121991b72918ff7fe31af4b1b54f00a64081f5 /system
parent178b0a68edd3bcd66ae8ba81a149848f0c196a87 (diff)
further xss_clean() enhancements
Diffstat (limited to 'system')
-rw-r--r--system/libraries/Input.php97
1 files changed, 67 insertions, 30 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 33f288688..fcca722b7 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -538,15 +538,15 @@ class CI_Input {
* the conversion of entities to ASCII later.
*
*/
- $str = preg_replace('#(&\#*\w+)[\x00-\x20]+;#u',"\\1;",$str);
+ $str = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $str);
/*
- * Validate UTF16 two byte encoding (x00)
+ * Validate UTF16 two byte encoding (x00)
*
* Just as above, adds a semicolon if missing.
*
*/
- $str = preg_replace('#(&\#x*)([0-9A-F]+);*#iu',"\\1\\2;",$str);
+ $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str);
/*
* URL Decode
@@ -580,38 +580,51 @@ class CI_Input {
$str);
}
}
-
+
+ /*
+ * Convert all tabs to spaces
+ *
+ * This prevents strings like this: ja vascript
+ * NOTE: we deal with spaces between characters later.
+ * NOTE: preg_replace was found to be amazingly slow here on large blocks of data,
+ * so we use str_replace.
+ *
+ */
+
+ $str = str_replace("\t", " ", $str);
+
/*
* Not Allowed Under Any Conditions
*/
$bad = array(
'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
- 'document.write' => '[removed]',
'window.location' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;',
+ '<!CDATA[' => '&lt;![CDATA['
+ );
+
+ foreach ($bad as $key => $val)
+ {
+ $str = str_replace($key, $val, $str);
+ }
+
+ $bad = array(
"javascript\s*:" => '[removed]',
"expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;'
+ "Redirect\s+302" => '[removed]'
);
-
+
foreach ($bad as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}
/*
- * Convert all tabs to spaces
- *
- * This prevents strings like this: ja vascript
- * Note: we deal with spaces between characters later.
- *
- */
- $str = preg_replace("#\t+#", " ", $str);
-
- /*
* Makes PHP tags safe
*
* Note: XML tags are inadvertently replaced too:
@@ -621,7 +634,7 @@ class CI_Input {
* But it doesn't seem to pose a problem.
*
*/
- $str = str_replace(array('<?php', '<?PHP', '<?', '?>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
+ $str = str_replace(array('<?php', '<?PHP', '<?', '?'.'>'), array('&lt;?php', '&lt;?PHP', '&lt;?', '?&gt;'), $str);
/*
* Compact any exploded words
@@ -650,10 +663,24 @@ class CI_Input {
do
{
$original = $str;
-
- $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
- $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
- $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
+
+ if ((version_compare(PHP_VERSION, '5.0', '>=') === TRUE && stripos($str, '</a>') !== FALSE) OR
+ preg_match("/<\/a>/i", $str))
+ {
+ $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
+ }
+
+ if ((version_compare(PHP_VERSION, '5.0', '>=') === TRUE && stripos($str, '<img') !== FALSE) OR
+ preg_match("/img/i", $str))
+ {
+ $str = preg_replace_callback("#<img.*?".">#si", array($this, '_js_img_removal'), $str);
+ }
+
+ if ((version_compare(PHP_VERSION, '5.0', '>=') === TRUE && (stripos($str, 'script') !== FALSE OR stripos($str, 'xss') !== FALSE)) OR
+ preg_match("/(script|xss)/i", $str))
+ {
+ $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
+ }
}
while($original != $str);
@@ -706,20 +733,30 @@ class CI_Input {
*/
$bad = array(
'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
- 'document.write' => '[removed]',
'window.location' => '[removed]',
+ '-moz-binding' => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;',
+ '<!CDATA[' => '&lt;![CDATA['
+ );
+
+ foreach ($bad as $key => $val)
+ {
+ $str = str_replace($key, $val, $str);
+ }
+
+ $bad = array(
"javascript\s*:" => '[removed]',
"expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]',
- '<!--' => '&lt;!--',
- '-->' => '--&gt;'
+ "Redirect\s+302" => '[removed]'
);
-
+
foreach ($bad as $key => $val)
{
- $str = preg_replace("#".$key."#i", $val, $str);
+ $str = preg_replace("#".$key."#i", $val, $str);
}
@@ -764,7 +801,7 @@ class CI_Input {
}
// --------------------------------------------------------------------
-
+
/**
* HTML Entities Decode
*