From abc6006884658acb4e2302460f87e2f89a5a7e80 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 10 Sep 2015 16:36:22 +0300 Subject: Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 --- system/core/Security.php | 4 ++-- tests/codeigniter/core/Security_test.php | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 8ca66d297..e4bd327b5 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -787,11 +787,11 @@ class CI_Security { $count = $temp_count = 0; // replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - $str = preg_replace('/<([^>]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?]+((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=047))*[^>]*)(?]*)/is', '<$1[removed]', $str, -1, $temp_count); + $str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?]*)/is', '<$1[removed]', $str, -1, $temp_count); $count += $temp_count; } while ($count); diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index 68b52247e..8e6d276fc 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -147,12 +147,12 @@ class Security_test extends CI_TestCase { $this->assertEquals('', $this->security->remove_evil_attributes('', FALSE)); $this->assertEquals('', $this->security->remove_evil_attributes('', FALSE)); $this->assertEquals( - '', - $this->security->remove_evil_attributes('', FALSE) + '\' [removed]>', + $this->security->remove_evil_attributes('\' onAfterGreaterThan="quotes">', FALSE) ); $this->assertEquals( - '', - $this->security->remove_evil_attributes('', FALSE) + '\' [removed]>', + $this->security->remove_evil_attributes('\' onAfterGreaterThan=noQuotes>', FALSE) ); } -- cgit v1.2.3-24-g4f1b