From d98cbb8bddda2f56dc1dc585a7f3a01fa9ed33c9 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 18:34:27 +0200
Subject: Add &newline; and &tab; to CI_Security::

---
 system/core/Security.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index d6356f869..32ecbbad3 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -69,7 +69,9 @@ class CI_Security {
 	public $html5_entities = array(
 		'&colon;'	=> ':',
 		'&lpar;'	=> '(',
-		'&rpar;'	=> ')'
+		'&rpar;'	=> ')',
+		'&newline;',	=> "\n",
+		'&tab;',	=> "\t"
 	);
 
 	/**
-- 
cgit v1.2.3-24-g4f1b


From 25ca23533e3efe59754145c91037fae171fb4862 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 18:46:29 +0200
Subject: CI_Security: Add 'form' and 'xlink:href' to evil attributes

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index 32ecbbad3..40717c26d 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -662,7 +662,7 @@ class CI_Security {
 	protected function _remove_evil_attributes($str, $is_image)
 	{
 		// Formaction, style, and xmlns
-		$evil_attributes = array('style', 'xmlns', 'formaction');
+		$evil_attributes = array('style', 'xmlns', 'formaction', 'form', 'xlink:href');
 
 		if ($is_image === TRUE)
 		{
-- 
cgit v1.2.3-24-g4f1b


From ee7633c9f883513fa556240d60694f075d8dc056 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 18:47:20 +0200
Subject: Fix syntax errors

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index 40717c26d..a753aa021 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -70,8 +70,8 @@ class CI_Security {
 		'&colon;'	=> ':',
 		'&lpar;'	=> '(',
 		'&rpar;'	=> ')',
-		'&newline;',	=> "\n",
-		'&tab;',	=> "\t"
+		'&newline;'	=> "\n",
+		'&tab;'		=> "\t"
 	);
 
 	/**
-- 
cgit v1.2.3-24-g4f1b


From c715b22eb153aa702b07a158357ee2b13a24cf67 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 19:11:31 +0200
Subject: CI_Security: Add <select> and <keygen> tags to the list of 'naughty'
 HTML elements

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index a753aa021..e08572525 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -469,7 +469,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
-- 
cgit v1.2.3-24-g4f1b


From c53a1784d742f1ade62161fcdb913da8e33c0c5c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 19:32:48 +0200
Subject: CI_Security: Also add <svg> to 'naughty' HTML elements

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index e08572525..49e5ab411 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -469,7 +469,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|svg|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
-- 
cgit v1.2.3-24-g4f1b


From 2b284f9b171ba0e0886db15772a6a62e9155f74f Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 25 Jan 2014 00:25:56 +0200
Subject: [ci skip] Add a link to PHP bug 54709 in is_really_writable()'s
 docblock

---
 system/core/Common.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/system/core/Common.php b/system/core/Common.php
index 00e303098..cfc63c2aa 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -76,6 +76,7 @@ if ( ! function_exists('is_really_writable'))
 	 * the file, based on the read-only attribute. is_writable() is also unreliable
 	 * on Unix servers if safe_mode is on.
 	 *
+	 * @link	https://bugs.php.net/bug.php?id=54709
 	 * @param	string
 	 * @return	void
 	 */
-- 
cgit v1.2.3-24-g4f1b