diff options
author | Andrey Andreev <narf@devilix.net> | 2016-10-28 17:14:13 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2016-10-28 17:14:13 +0200 |
commit | 8ec72f2ee46984ed0ca9abc5a01742e56fa0c300 (patch) | |
tree | 43bd6d55f6eea11239a757304427c7c5f0cab63e /system | |
parent | b6995a6a1bdfb2275b3befb89d51da0a1769771e (diff) | |
parent | 014be1e8726ebce6dd19284ae3deaee866d6b0e5 (diff) |
Merge branch 'release/3.1.2' into 3.1-stable
Diffstat (limited to 'system')
-rw-r--r-- | system/core/CodeIgniter.php | 2 | ||||
-rw-r--r-- | system/core/Security.php | 21 |
2 files changed, 12 insertions, 11 deletions
diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php index 32ad61899..a2067fb10 100644 --- a/system/core/CodeIgniter.php +++ b/system/core/CodeIgniter.php @@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed'); * @var string * */ - const CI_VERSION = '3.1.2-dev'; + const CI_VERSION = '3.1.2'; /* * ------------------------------------------------------ diff --git a/system/core/Security.php b/system/core/Security.php index b9160a252..d0308c5f9 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -133,15 +133,16 @@ class CI_Security { * @var array */ protected $_never_allowed_str = array( - 'document.cookie' => '[removed]', - 'document.write' => '[removed]', - '.parentNode' => '[removed]', - '.innerHTML' => '[removed]', - '-moz-binding' => '[removed]', - '<!--' => '<!--', - '-->' => '-->', - '<![CDATA[' => '<![CDATA[', - '<comment>' => '<comment>' + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + '.parentNode' => '[removed]', + '.innerHTML' => '[removed]', + '-moz-binding' => '[removed]', + '<!--' => '<!--', + '-->' => '-->', + '<![CDATA[' => '<![CDATA[', + '<comment>' => '<comment>', + '<%' => '<%' ); /** @@ -924,7 +925,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si', + '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', '', $this->_filter_attributes($match[1]) ), |