From 249580e711d42fe966e52d7bcc0f349ba99a94a3 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 2 Oct 2015 16:44:05 +0300
Subject: More XSS stuff

---
 system/core/Security.php                 | 2 +-
 tests/codeigniter/core/Security_test.php | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index 0cae23a79..27471d98e 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -808,7 +808,7 @@ class CI_Security {
 				.'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons
 				.'(?<name>[^\s\042\047>/=]+)' // attribute characters
 				// optional attribute-value
-				.'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator
+				.'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator
 				.'#i';
 
 			if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index ca111c3bf..b093393af 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -162,7 +162,7 @@ class Security_test extends CI_TestCase {
 	{
 		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
 		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+		$this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
 		$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
 		$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
 		$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
@@ -207,6 +207,11 @@ class Security_test extends CI_TestCase {
 			'<image src="<>" [removed]>',
 			$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
 		);
+
+		$this->assertEquals(
+			'<b "=<=  [removed]>',
+			$this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b