diff options
| -rw-r--r-- | system/core/Security.php | 6 | ||||
| -rw-r--r-- | tests/codeigniter/core/Security_test.php | 16 |
2 files changed, 19 insertions, 3 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index a30613386..0cae23a79 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -808,7 +808,7 @@ class CI_Security { .'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons .'(?<name>[^\s\042\047>/=]+)' // attribute characters // optional attribute-value - .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]+)?' // attribute-value separator + .'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator .'#i'; if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) @@ -861,7 +861,7 @@ class CI_Security { preg_replace( '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si', '', - $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + $this->_filter_attributes($match[1]) ), $match[0] ); @@ -889,7 +889,7 @@ class CI_Security { preg_replace( '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si', '', - $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])) + $this->_filter_attributes($match[1]) ), $match[0] ); diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index b04d25891..ca111c3bf 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -120,6 +120,17 @@ class Security_test extends CI_TestCase { // -------------------------------------------------------------------- + public function text_xss_clean_js_link_removal() + { + // This one is to prevent a false positive + $this->assertEquals( + "<a href=\"javascrip\n<t\n:alert\n(1)\"\n>", + $this->security->xss_clean("<a href=\"javascrip\n<t\n:alert\n(1)\"\n>") + ); + } + + // -------------------------------------------------------------------- + public function test_xss_clean_js_img_removal() { $input = '<img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere'; @@ -191,6 +202,11 @@ class Security_test extends CI_TestCase { '<img src="x"> on=\'x\' onerror=,xssm()>', $this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>') ); + + $this->assertEquals( + '<image src="<>" [removed]>', + $this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>') + ); } // -------------------------------------------------------------------- |