diff options
| author | Andrey Andreev <narf@devilix.net> | 2018-03-15 15:43:35 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-03-15 15:43:35 +0100 |
| commit | ffab7c1c7f9f5a0f3d82c6d9a89f1ebc77d6922f (patch) | |
| tree | 79a6447fce26a702c97d9032f72f18edaa27c1a3 /system | |
| parent | 5e9fec04649b530637732ea616e36b66efac1faf (diff) | |
| parent | c4eeb617e453153134c28050d421157c730c7bc9 (diff) | |
Merge pull request #5431 from CyberSecutor/develop
Added parenthesis check around "document" elements and fixed non-existent document.window filter to window.document
Diffstat (limited to 'system')
| -rw-r--r-- | system/core/Security.php | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index b8f76e5e2..091093637 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -134,7 +134,9 @@ class CI_Security { */ protected $_never_allowed_str = array( 'document.cookie' => '[removed]', + '(document).cookie' => '[removed]', 'document.write' => '[removed]', + '(document).write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', @@ -152,7 +154,7 @@ class CI_Security { */ protected $_never_allowed_regex = array( 'javascript\s*:', - '(document|(document\.)?window)\.(location|on\w*)', + '(\(?document\)?|\(?window\)?(\.document)?)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'wscript\s*:', // IE @@ -831,7 +833,7 @@ class CI_Security { // For other tags, see if their attributes are "evil" and strip those elseif (isset($matches['attributes'])) { - // We'll store the already fitlered attributes here + // We'll store the already filtered attributes here $attributes = array(); // Attribute-catching pattern @@ -905,7 +907,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', + '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si', '', $this->_filter_attributes($match[1]) ), @@ -933,7 +935,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si', + '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si', '', $this->_filter_attributes($match[1]) ), |