diff options
-rw-r--r-- | system/libraries/Input.php | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 801762073..4fd2061c7 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -366,14 +366,14 @@ class CI_Input { * XSS Clean * * Sanitizes data so that Cross Site Scripting Hacks can be - * prevented.Ê This function does a fair amount of work but + * prevented. This function does a fair amount of work but * it is extremely thorough, designed to prevent even the - * most obscure XSS attempts.Ê Nothing is ever 100% foolproof, + * most obscure XSS attempts. Nothing is ever 100% foolproof, * of course, but I haven't been able to get anything passed * the filter. * * Note: This function should only be used to deal with data - * upon submission.Ê It's not something that should + * upon submission. It's not something that should * be used for general runtime processing. * * This function was based in part on some code and ideas I @@ -447,6 +447,24 @@ class CI_Input { $str); } } + + /* + * Not Allowed Under Any Conditions + */ + $bad = array( + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + 'window.location' => '[removed]', + "javascript\s*:" => '[removed]', + "Redirect\s+302" => '[removed]', + '<!--' => '<!--', + '-->' => '-->' + ); + + foreach ($bad as $key => $val) + { + $str = preg_replace("#".$key."#i", $val, $str); + } /* * Convert all tabs to spaces @@ -542,11 +560,11 @@ class CI_Input { * */ $bad = array( - 'document.cookie' => '', - 'document.write' => '', - 'window.location' => '', - "javascript\s*:" => '', - "Redirect\s+302" => '', + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + 'window.location' => '[removed]', + "javascript\s*:" => '[removed]', + "Redirect\s+302" => '[removed]', '<!--' => '<!--', '-->' => '-->' ); |