From 40a7c6805f4a65605963f10dc2db0fc748710779 Mon Sep 17 00:00:00 2001 From: paulburdick Date: Sat, 13 Jan 2007 00:03:37 +0000 Subject: --- system/libraries/Input.php | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 801762073..4fd2061c7 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -366,14 +366,14 @@ class CI_Input { * XSS Clean * * Sanitizes data so that Cross Site Scripting Hacks can be - * prevented.Ê This function does a fair amount of work but + * prevented.  This function does a fair amount of work but * it is extremely thorough, designed to prevent even the - * most obscure XSS attempts.Ê Nothing is ever 100% foolproof, + * most obscure XSS attempts.  Nothing is ever 100% foolproof, * of course, but I haven't been able to get anything passed * the filter. * * Note: This function should only be used to deal with data - * upon submission.Ê It's not something that should + * upon submission.  It's not something that should * be used for general runtime processing. * * This function was based in part on some code and ideas I @@ -447,6 +447,24 @@ class CI_Input { $str); } } + + /* + * Not Allowed Under Any Conditions + */ + $bad = array( + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + 'window.location' => '[removed]', + "javascript\s*:" => '[removed]', + "Redirect\s+302" => '[removed]', + '' => '-->' + ); + + foreach ($bad as $key => $val) + { + $str = preg_replace("#".$key."#i", $val, $str); + } /* * Convert all tabs to spaces @@ -542,11 +560,11 @@ class CI_Input { * */ $bad = array( - 'document.cookie' => '', - 'document.write' => '', - 'window.location' => '', - "javascript\s*:" => '', - "Redirect\s+302" => '', + 'document.cookie' => '[removed]', + 'document.write' => '[removed]', + 'window.location' => '[removed]', + "javascript\s*:" => '[removed]', + "Redirect\s+302" => '[removed]', '' => '-->' ); -- cgit v1.2.3-24-g4f1b