diff options
Diffstat (limited to 'system/core/Security.php')
-rw-r--r-- | system/core/Security.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/system/core/Security.php b/system/core/Security.php index 7c5199255..8ca66d297 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -787,11 +787,11 @@ class CI_Security { $count = $temp_count = 0; // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', '$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\4]*?)(\\4)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; // find occurrences of illegal attribute strings without quotes - $str = preg_replace('/(<[^>]+)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; } while ($count); |