From 46d2072e5ce0c13f3be2bd909d76eba37964740f Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 18 Mar 2014 23:08:59 +0200
Subject: More xss_clean() improvements

Issue described in https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37980030
+ a false positive
---
 system/core/Security.php                 | 4 ++--
 tests/codeigniter/core/Security_test.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index a4d8c95ef..17ba3bcd8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -454,7 +454,7 @@ class CI_Security {
 
 			if (preg_match('/<a/i', $str))
 			{
-				$str = preg_replace_callback('#<a[^a-z0-9]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+				$str = preg_replace_callback('#<a[^a-z0-9>]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
 			}
 
 			if (preg_match('/<img/i', $str))
@@ -581,7 +581,7 @@ class CI_Security {
 			$str_compare = $str;
 
 			$str = preg_replace('/(&#x0*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str);
-			$str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str);
+			$str = preg_replace('/(&#0*\d{2,4})(?![0-9;])/S', '$1;', $str);
 			$str = html_entity_decode($str, ENT_COMPAT, $charset);
 		}
 		while ($str_compare !== $str);
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 14e042ee2..d4d6be4b5 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -74,7 +74,7 @@ class Security_test extends CI_TestCase {
 	public function test_xss_clean_entity_double_encoded()
 	{
 		$input = '<a href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>';
-		$this->assertEquals('<a 1>Clickhere</a>', $this->security->xss_clean($input));
+		$this->assertEquals('<a >Clickhere</a>', $this->security->xss_clean($input));
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b