From f50fc73cf63136b720c2bd247175f236d5b27eaa Mon Sep 17 00:00:00 2001
From: brian978 <dbrian89@yahoo.com>
Date: Sat, 8 Dec 2012 23:22:26 +0200
Subject: All the HEX code must be replaced or else some XSS attacks can be
 successful

---
 system/core/Security.php | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index 4f2185db5..220188edc 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -526,9 +526,17 @@ class CI_Security {
 			$charset = config_item('charset');
 		}
 
-		$str = html_entity_decode($str, ENT_COMPAT, $charset);
-		$str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
-		return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
+                do
+                {
+                    $matches = $matches1 = 0;
+                    
+                    $str = html_entity_decode($str, ENT_COMPAT, $charset);
+                    $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches);
+                    $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1);
+                }
+                while($matches || $matches1);
+
+                return $str;
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 0a83fcc748ef29e644bf9e8cac4d7dd9a7408d5f Mon Sep 17 00:00:00 2001
From: brian978 <dbrian89@yahoo.com>
Date: Mon, 10 Dec 2012 13:05:06 +0200
Subject: Fixed bug with regexp that matched tags

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/core/Security.php b/system/core/Security.php
index 220188edc..635f9ff31 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -329,7 +329,7 @@ class CI_Security {
 		 * these are the ones that will pose security problems.
 		 */
 		$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
-		$str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str);
+		$str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str);
 
 		// Remove Invisible Characters Again!
 		$str = remove_invisible_characters($str);
-- 
cgit v1.2.3-24-g4f1b