From 4562f2cbb3e5346c6e341516a31ca87dfa47bafd Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@bofh.bg>
Date: Mon, 9 Jan 2012 23:39:50 +0200
Subject: Some more stuff ...

---
 system/core/Security.php | 23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index d7881d846..1007f61f4 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -153,20 +153,13 @@ class CI_Security {
 		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
-		if ( ! isset($_POST[$this->_csrf_token_name]) OR
-			 ! isset($_COOKIE[$this->_csrf_cookie_name]))
+		if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name])
+			OR $_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
 		{
 			$this->csrf_show_error();
 		}
 
-		// Do the tokens match?
-		if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
-		{
-			$this->csrf_show_error();
-		}
-
-		// We kill this since we're done and we don't want to
-		// polute the _POST array
+		// We kill this since we're done and we don't want to polute the _POST array
 		unset($_POST[$this->_csrf_token_name]);
 
 		// Regenerate on every submission?
@@ -308,10 +301,9 @@ class CI_Security {
 		 * This permits our tests below to work reliably.
 		 * We only convert entities that are within tags since
 		 * these are the ones that will pose security problems.
-		 *
 		 */
 		$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
-		$str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str);
+		$str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str);
 
 		// Remove Invisible Characters Again!
 		$str = remove_invisible_characters($str);
@@ -326,9 +318,7 @@ class CI_Security {
 		 */
 		$str = str_replace("\t", ' ', $str);
 
-		/*
-		 * Capture converted string for later comparison
-		 */
+		// Capture converted string for later comparison
 		$converted_string = $str;
 
 		// Remove Strings that are never allowed
@@ -720,12 +710,11 @@ class CI_Security {
 	protected function _filter_attributes($str)
 	{
 		$out = '';
-
 		if (preg_match_all('#\s*[a-z\-]+\s*=\s*(\042|\047)([^\\1]*?)\\1#is', $str, $matches))
 		{
 			foreach ($matches[0] as $match)
 			{
-				$out .= preg_replace("#/\*.*?\*/#s", '', $match);
+				$out .= preg_replace('#/\*.*?\*/#s', '', $match);
 			}
 		}
 
-- 
cgit v1.2.3-24-g4f1b