From e475b1c9ed1b82b5f4a6a2c31267171f75a82406 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 15 Mar 2018 16:43:35 +0200 Subject: Merge pull request #5431 from CyberSecutor/develop Added parenthesis check around "document" elements and fixed non-existent document.window filter to window.document --- system/core/Security.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index 89a94c3dd..31926b466 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -134,7 +134,9 @@ class CI_Security { */ protected $_never_allowed_str = array( 'document.cookie' => '[removed]', + '(document).cookie' => '[removed]', 'document.write' => '[removed]', + '(document).write' => '[removed]', '.parentNode' => '[removed]', '.innerHTML' => '[removed]', '-moz-binding' => '[removed]', @@ -152,7 +154,7 @@ class CI_Security { */ protected $_never_allowed_regex = array( 'javascript\s*:', - '(document|(document\.)?window)\.(location|on\w*)', + '(\(?document\)?|\(?window\)?(\.document)?)\.(location|on\w*)', 'expression\s*(\(|&\#40;)', // CSS and IE 'vbscript\s*:', // IE, surprise! 'wscript\s*:', // IE @@ -861,7 +863,7 @@ class CI_Security { // For other tags, see if their attributes are "evil" and strip those elseif (isset($matches['attributes'])) { - // We'll store the already fitlered attributes here + // We'll store the already filtered attributes here $attributes = array(); // Attribute-catching pattern @@ -935,7 +937,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes($match[1]) ), @@ -963,7 +965,7 @@ class CI_Security { return str_replace( $match[1], preg_replace( - '#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|_filter_attributes($match[1]) ), -- cgit v1.2.3-24-g4f1b