From cbde3f032de0f02fb28a5502a32c30626119716e Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Thu, 14 Aug 2008 22:13:05 +0000
Subject: changed entity standardization to require at least two characters
 after an ampersand before forcing a semi-colon

---
 system/libraries/Input.php | 2 +-
 user_guide/changelog.html  | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 24c6c1967..ff1dd9b15 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -547,7 +547,7 @@ class CI_Input {
 		 * the conversion of entities to ASCII later.
 		 *
 		 */
-		$str = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $str);
+		$str = preg_replace('#(&\#?[0-9a-z]{2,})[\x00-\x20]*;?#i', "\\1;", $str);
 
 		/*
 		 * Validate UTF16 two byte encoding (x00) 
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index d317bbf81..b729c6a99 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -86,6 +86,7 @@ SVN Revision: XXXX</p>
 	<li>Fixed assorted user guide typos or examples (#4840, #4862, #4864, #4899, #4930, #5006).</li>
 	<li>Fixed an edit from 1.6.3 that made the $robots array in user_agents.php go poof.</li>
 	<li>Fixed a bug in the Email library with quoted-printable encoding improperly encoding space and tab characters.</li>
+	<li>Modified XSS sanitization to no longer add semicolons after &amp;[single letter], such as in M&amp;M's, B&amp;B, etc.</li>
 </ul>
 
 <h2>Version 1.6.3</h2>
-- 
cgit v1.2.3-24-g4f1b