summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--system/core/Security.php6
-rw-r--r--tests/codeigniter/core/Security_test.php16
2 files changed, 19 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php
index a30613386..0cae23a79 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -808,7 +808,7 @@ class CI_Security {
.'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons
.'(?<name>[^\s\042\047>/=]+)' // attribute characters
// optional attribute-value
- .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]+)?' // attribute-value separator
+ .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator
.'#i';
if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
@@ -861,7 +861,7 @@ class CI_Security {
preg_replace(
'#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
'',
- $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
+ $this->_filter_attributes($match[1])
),
$match[0]
);
@@ -889,7 +889,7 @@ class CI_Security {
preg_replace(
'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
'',
- $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
+ $this->_filter_attributes($match[1])
),
$match[0]
);
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index b04d25891..ca111c3bf 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -120,6 +120,17 @@ class Security_test extends CI_TestCase {
// --------------------------------------------------------------------
+ public function text_xss_clean_js_link_removal()
+ {
+ // This one is to prevent a false positive
+ $this->assertEquals(
+ "<a href=\"javascrip\n<t\n:alert\n&#40;1&#41;\"\n>",
+ $this->security->xss_clean("<a href=\"javascrip\n<t\n:alert\n(1)\"\n>")
+ );
+ }
+
+ // --------------------------------------------------------------------
+
public function test_xss_clean_js_img_removal()
{
$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
@@ -191,6 +202,11 @@ class Security_test extends CI_TestCase {
'<img src="x"> on=\'x\' onerror=,xssm()>',
$this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>')
);
+
+ $this->assertEquals(
+ '<image src="<>" [removed]>',
+ $this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
+ );
}
// --------------------------------------------------------------------