From 3d204b63df199c7fb41d2602867ac3835776f40a Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 10 Mar 2018 02:40:22 +0200 Subject: [ci skip] Fix #5420 --- system/core/Security.php | 12 ++++++++++-- user_guide_src/source/changelog.rst | 1 + 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 6cdce5d98..89a94c3dd 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -542,6 +542,14 @@ class CI_Security { $str ); + // Same thing, but for "tag functions" (e.g. eval`some code`) + // See https://github.com/bcit-ci/CodeIgniter/issues/5420 + $str = preg_replace( + '#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)`(.*?)`#si', + '\\1\\2`\\3`', + $str + ); + // Final clean up // This adds a bit of extra precaution in case // something got through the above filters @@ -927,7 +935,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes($match[1]) ), @@ -955,7 +963,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes($match[1]) ), diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 4eaed24ec..37cd31d72 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -10,6 +10,7 @@ Release Date: Not Released - **Security** - Updated :doc:`URL Helper ` function :php:func:`auto_link()` to add ``rel="noopener"`` to generated links in order to prevent tab hijacking. + - Updated :doc:`Security Library ` method ``xss_clean()`` to also filter JavaScript tag functions. - General Changes -- cgit v1.2.3-24-g4f1b