summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
Diffstat (limited to 'system')
-rw-r--r--system/core/Common.php37
-rw-r--r--system/database/drivers/mssql/mssql_driver.php5
-rw-r--r--system/database/drivers/oci8/oci8_driver.php5
-rw-r--r--system/database/drivers/odbc/odbc_driver.php5
-rw-r--r--system/libraries/Security.php42
5 files changed, 42 insertions, 52 deletions
diff --git a/system/core/Common.php b/system/core/Common.php
index 6e2f72509..9dee591e6 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -479,6 +479,43 @@
$_error->log_exception($severity, $message, $filepath, $line);
}
+ // --------------------------------------------------------------------
+
+ /**
+ * Remove Invisible Characters
+ *
+ * This prevents sandwiching null characters
+ * between ascii characters, like Java\0script.
+ *
+ * @access public
+ * @param string
+ * @return string
+ */
+ function remove_invisible_characters($str)
+ {
+ static $non_displayables;
+
+ if ( ! isset($non_displayables))
+ {
+ // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
+ $non_displayables = array(
+ '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
+ '/%1[0-9a-f]/', // url encoded 16-31
+ '/[\x00-\x08]/', // 00-08
+ '/\x0b/', '/\x0c/', // 11, 12
+ '/[\x0e-\x1f]/' // 14-31
+ );
+ }
+
+ do
+ {
+ $cleaned = $str;
+ $str = preg_replace($non_displayables, '', $str);
+ }
+ while ($cleaned != $str);
+
+ return $str;
+ }
/* End of file Common.php */
diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 0c74726a2..40900e832 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -260,12 +260,9 @@ class CI_DB_mssql_driver extends CI_DB {
return $str;
}
-
- // Access the CI object
- $CI =& get_instance();
// Escape single quotes
- $str = str_replace("'", "''", $CI->input->_remove_invisible_characters($str));
+ $str = str_replace("'", "''", remove_invisible_characters($str));
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index cd0e09577..6f317d2e6 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -403,10 +403,7 @@ class CI_DB_oci8_driver extends CI_DB {
return $str;
}
- // Access the CI object
- $CI =& get_instance();
-
- $str = $CI->input->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index d5df8ef8c..6e682313f 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -271,12 +271,9 @@ class CI_DB_odbc_driver extends CI_DB {
return $str;
}
-
- // Access the CI object
- $CI =& get_instance();
// ODBC doesn't require escaping
- $str = $CI->input->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
// escape LIKE condition wildcards
if ($like === TRUE)
diff --git a/system/libraries/Security.php b/system/libraries/Security.php
index 60adf0a27..cdae50168 100644
--- a/system/libraries/Security.php
+++ b/system/libraries/Security.php
@@ -198,7 +198,7 @@ class CI_Security {
/*
* Remove Invisible Characters
*/
- $str = $this->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
/*
* Protect GET variables in URLs
@@ -258,7 +258,7 @@ class CI_Security {
/*
* Remove Invisible Characters Again!
*/
- $str = $this->_remove_invisible_characters($str);
+ $str = remove_invisible_characters($str);
/*
* Convert all tabs to spaces
@@ -481,44 +481,6 @@ class CI_Security {
// --------------------------------------------------------------------
/**
- * Remove Invisible Characters
- *
- * This prevents sandwiching null characters
- * between ascii characters, like Java\0script.
- *
- * @access public
- * @param string
- * @return string
- */
- function _remove_invisible_characters($str)
- {
- static $non_displayables;
-
- if ( ! isset($non_displayables))
- {
- // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09),
- $non_displayables = array(
- '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
- '/%1[0-9a-f]/', // url encoded 16-31
- '/[\x00-\x08]/', // 00-08
- '/\x0b/', '/\x0c/', // 11, 12
- '/[\x0e-\x1f]/' // 14-31
- );
- }
-
- do
- {
- $cleaned = $str;
- $str = preg_replace($non_displayables, '', $str);
- }
- while ($cleaned != $str);
-
- return $str;
- }
-
- // --------------------------------------------------------------------
-
- /**
* Compact Exploded Words
*
* Callback function for xss_clean() to remove whitespace from