summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/libraries/Input.php34
1 files changed, 26 insertions, 8 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 801762073..4fd2061c7 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -366,14 +366,14 @@ class CI_Input {
* XSS Clean
*
* Sanitizes data so that Cross Site Scripting Hacks can be
- * prevented.Ê This function does a fair amount of work but
+ * prevented.  This function does a fair amount of work but
* it is extremely thorough, designed to prevent even the
- * most obscure XSS attempts.Ê Nothing is ever 100% foolproof,
+ * most obscure XSS attempts.  Nothing is ever 100% foolproof,
* of course, but I haven't been able to get anything passed
* the filter.
*
* Note: This function should only be used to deal with data
- * upon submission.Ê It's not something that should
+ * upon submission.  It's not something that should
* be used for general runtime processing.
*
* This function was based in part on some code and ideas I
@@ -447,6 +447,24 @@ class CI_Input {
$str);
}
}
+
+ /*
+ * Not Allowed Under Any Conditions
+ */
+ $bad = array(
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ 'window.location' => '[removed]',
+ "javascript\s*:" => '[removed]',
+ "Redirect\s+302" => '[removed]',
+ '<!--' => '&lt;!--',
+ '-->' => '--&gt;'
+ );
+
+ foreach ($bad as $key => $val)
+ {
+ $str = preg_replace("#".$key."#i", $val, $str);
+ }
/*
* Convert all tabs to spaces
@@ -542,11 +560,11 @@ class CI_Input {
*
*/
$bad = array(
- 'document.cookie' => '',
- 'document.write' => '',
- 'window.location' => '',
- "javascript\s*:" => '',
- "Redirect\s+302" => '',
+ 'document.cookie' => '[removed]',
+ 'document.write' => '[removed]',
+ 'window.location' => '[removed]',
+ "javascript\s*:" => '[removed]',
+ "Redirect\s+302" => '[removed]',
'<!--' => '&lt;!--',
'-->' => '--&gt;'
);