From e7a2aa09df05547211776bf493adb6da476f3858 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 18 Mar 2014 18:44:53 +0200 Subject: xss_clean() improvement Fixes this: https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37819186 --- system/core/Security.php | 8 ++++---- tests/codeigniter/core/Security_test.php | 6 ++++++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/system/core/Security.php b/system/core/Security.php index faa52d746..1dfea18f8 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -578,13 +578,13 @@ class CI_Security { do { - $m1 = $m2 = 0; + $str_compare = $str; - $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str, -1, $m1); - $str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str, -1, $m2); + $str = preg_replace('/(�*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str); + $str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str); $str = html_entity_decode($str, ENT_COMPAT, $charset); } - while ($m1 OR $m2); + while ($str_compare !== $str); return $str; } diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index 433ad313f..14e042ee2 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -71,6 +71,12 @@ class Security_test extends CI_TestCase { $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_string); } + public function test_xss_clean_entity_double_encoded() + { + $input = 'Clickhere'; + $this->assertEquals('Clickhere', $this->security->xss_clean($input)); + } + // -------------------------------------------------------------------- public function test_xss_hash() -- cgit v1.2.3-24-g4f1b