From 46e77e0d28cf6c057484df022a012e85de2f79b6 Mon Sep 17 00:00:00 2001
From: David Cox Jr <DaveMC08@gmail.com>
Date: Thu, 3 Oct 2013 16:56:04 -0400
Subject: partial fix #2667 this fixes the ability to replace a space with a /
 and skip the XSS filtering

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 70cf3e013..368e17dc3 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -603,7 +603,7 @@ class CI_Security {
 	 */
 	public function strip_image_tags($str)
 	{
-		return preg_replace(array('#<img\s+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img\s+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str);
+		return preg_replace(array('#<img[\s/]+.*?src\s*=\s*["\'](.+?)["\'].*?\>#', '#<img[\s/]+.*?src\s*=\s*(.+?).*?\>#'), '\\1', $str);
 	}
 
 	// ----------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 3a3d5f6c2320a90436de241af41fe22df7344728 Mon Sep 17 00:00:00 2001
From: vlakoff <vlakoff@gmail.com>
Date: Thu, 17 Oct 2013 22:22:16 +0200
Subject: Replace the last rand() with mt_rand()

Better entropy, faster.
Also fixed a few "it's" typos.
---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 368e17dc3..6f5f5cb90 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -884,7 +884,7 @@ class CI_Security {
 	{
 		if ($this->_csrf_hash === '')
 		{
-			// If the cookie exists we will use it's value.
+			// If the cookie exists we will use its value.
 			// We don't necessarily want to regenerate it with
 			// each page load since a page could contain embedded
 			// sub-pages causing this feature to fail
@@ -894,7 +894,7 @@ class CI_Security {
 				return $this->_csrf_hash = $_COOKIE[$this->_csrf_cookie_name];
 			}
 
-			$this->_csrf_hash = md5(uniqid(rand(), TRUE));
+			$this->_csrf_hash = md5(uniqid(mt_rand(), TRUE));
 			$this->csrf_set_cookie();
 		}
 
-- 
cgit v1.2.3-24-g4f1b


From 3fa729d7092c814fe14e15d8d51789ce7907f2a8 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 18 Oct 2013 20:57:41 +0300
Subject: Fix issue #2681 (alternative to PR #2690)

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 6f5f5cb90..5c5c0efb6 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -553,9 +553,9 @@ class CI_Security {
 		{
 			$matches = $matches1 = 0;
 
+			$str = preg_replace('~(&#x0*[0-9a-f]{2,5});?~iS', $str, -1, $matches);
+			$str = preg_replace('~(&#\d{2,4});?~S', $str, -1, $matches1);
 			$str = html_entity_decode($str, ENT_COMPAT, $charset);
-			$str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches);
-			$str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1);
 		}
 		while ($matches OR $matches1);
 
-- 
cgit v1.2.3-24-g4f1b


From e08411d72226ba5b2f97b519051f78d978747e18 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 18 Oct 2013 21:13:56 +0300
Subject: Eh ... preg_replace() needs a replacement

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 5c5c0efb6..9423f825c 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -553,8 +553,8 @@ class CI_Security {
 		{
 			$matches = $matches1 = 0;
 
-			$str = preg_replace('~(&#x0*[0-9a-f]{2,5});?~iS', $str, -1, $matches);
-			$str = preg_replace('~(&#\d{2,4});?~S', $str, -1, $matches1);
+			$str = preg_replace('~(&#x0*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches);
+			$str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1);
 			$str = html_entity_decode($str, ENT_COMPAT, $charset);
 		}
 		while ($matches OR $matches1);
-- 
cgit v1.2.3-24-g4f1b


From 1bbc5644b0c306ff72dc1228b169db56902fc031 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 7 Jan 2014 12:45:27 +0200
Subject: Fix #2268 (manually implementing PR #2269)

---
 system/core/Security.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 9423f825c..0944fef92 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -117,7 +117,6 @@ class CI_Security {
 		'document.write'	=> '[removed]',
 		'.parentNode'		=> '[removed]',
 		'.innerHTML'		=> '[removed]',
-		'window.location'	=> '[removed]',
 		'-moz-binding'		=> '[removed]',
 		'<!--'				=> '&lt;!--',
 		'-->'				=> '--&gt;',
@@ -132,6 +131,7 @@ class CI_Security {
 	 */
 	protected $_never_allowed_regex = array(
 		'javascript\s*:',
+		'(document|(document\.)?window)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
 		'Redirect\s+302',
@@ -648,8 +648,8 @@ class CI_Security {
 	 */
 	protected function _remove_evil_attributes($str, $is_image)
 	{
-		// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
-		$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
+		// Formaction, style, and xmlns
+		$evil_attributes = array('style', 'xmlns', 'formaction');
 
 		if ($is_image === TRUE)
 		{
-- 
cgit v1.2.3-24-g4f1b


From 99e2f8e2397ec4bf3ce5637d5a660a122aaa7b1b Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sun, 19 Jan 2014 00:04:44 +0200
Subject: Fix #2829

---
 system/core/Security.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 0944fef92..4c01da2b8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -551,13 +551,13 @@ class CI_Security {
 
 		do
 		{
-			$matches = $matches1 = 0;
+			$m1 = $m2 = 0;
 
-			$str = preg_replace('~(&#x0*[0-9a-f]{2,5});?~iS', '$1;', $str, -1, $matches);
-			$str = preg_replace('~(&#\d{2,4});?~S', '$1;', $str, -1, $matches1);
+			$str = preg_replace('/(&#x0*[0-9a-f]{2,5})(?![0-9a-f;])/iS', '$1;', $str, -1, $m1);
+			$str = preg_replace('/(&#\d{2,4})(?![0-9;])/S', '$1;', $str, -1, $m2);
 			$str = html_entity_decode($str, ENT_COMPAT, $charset);
 		}
-		while ($matches OR $matches1);
+		while ($m1 OR $m2);
 
 		return $str;
 	}
-- 
cgit v1.2.3-24-g4f1b


From 4d0571666d03511ac5b4a1f2a6882ccb1509a209 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 20 Jan 2014 11:17:34 +0200
Subject: Fix #2729

---
 system/core/Security.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 4c01da2b8..95957a3d8 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -837,14 +837,15 @@ class CI_Security {
 		 * Add a semicolon if missing.  We do this to enable
 		 * the conversion of entities to ASCII later.
 		 */
-		$str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str);
+		$str = preg_replace('/(&#\d{2,4})(?![0-9;])/', '$1;', $str);
+		$str = preg_replace('/(&[a-z]{2,})(?![a-z;])/i', '$1;', $str);
 
 		/*
 		 * Validate UTF16 two byte encoding (x00)
 		 *
 		 * Just as above, adds a semicolon if missing.
 		 */
-		$str = preg_replace('#(&\#x?)([0-9A-F]+);?#i', '\\1\\2;', $str);
+		$str = preg_replace('/(&#x0*[0-9a-f]{2,5})(?![0-9a-f;])/i', '$1;', $str);
 
 		/*
 		 * Un-Protect GET variables in URLs
-- 
cgit v1.2.3-24-g4f1b


From 4356806dc0298363217694d727db9cad84a073e0 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 21 Jan 2014 23:52:31 +0200
Subject: Add <button> to the list of 'naugthy' html elements in
 CI_Security::xss_clean()

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 95957a3d8..eb2695801 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -134,7 +134,7 @@ class CI_Security {
 		'(document|(document\.)?window)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
-		'Redirect\s+302',
+		'Redirect\s+30\d',
 		"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
 	);
 
@@ -456,7 +456,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
-- 
cgit v1.2.3-24-g4f1b


From c67c3fbb8e16b1ffb79c72bb91db04fcb005b2b1 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 22 Jan 2014 13:26:00 +0200
Subject: CI_Security::_decode_entity() to replace dangerous HTML5 entities

Related to issue #2771
---
 system/core/Security.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index eb2695801..d6356f869 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -61,6 +61,17 @@ class CI_Security {
 		'%3d'		// =
 	);
 
+	/**
+	 * HTML5 entities
+	 *
+	 * @var	array
+	 */
+	public $html5_entities = array(
+		'&colon;'	=> ':',
+		'&lpar;'	=> '(',
+		'&rpar;'	=> ')'
+	);
+
 	/**
 	 * XSS Hash
 	 *
@@ -810,7 +821,14 @@ class CI_Security {
 	 */
 	protected function _decode_entity($match)
 	{
-		return $this->entity_decode($match[0], strtoupper(config_item('charset')));
+		// entity_decode() won't convert dangerous HTML5 entities
+		// (it could, but ENT_HTML5 is only available since PHP 5.4),
+		// so we'll do that here
+		return str_ireplace(
+			array_keys($this->html5_entities),
+			array_values($this->html5_entities),
+			$this->entity_decode($match[0], strtoupper(config_item('charset')))
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From d98cbb8bddda2f56dc1dc585a7f3a01fa9ed33c9 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 18:34:27 +0200
Subject: Add &newline; and &tab; to CI_Security::

---
 system/core/Security.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index d6356f869..32ecbbad3 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -69,7 +69,9 @@ class CI_Security {
 	public $html5_entities = array(
 		'&colon;'	=> ':',
 		'&lpar;'	=> '(',
-		'&rpar;'	=> ')'
+		'&rpar;'	=> ')',
+		'&newline;',	=> "\n",
+		'&tab;',	=> "\t"
 	);
 
 	/**
-- 
cgit v1.2.3-24-g4f1b


From 25ca23533e3efe59754145c91037fae171fb4862 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 18:46:29 +0200
Subject: CI_Security: Add 'form' and 'xlink:href' to evil attributes

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 32ecbbad3..40717c26d 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -662,7 +662,7 @@ class CI_Security {
 	protected function _remove_evil_attributes($str, $is_image)
 	{
 		// Formaction, style, and xmlns
-		$evil_attributes = array('style', 'xmlns', 'formaction');
+		$evil_attributes = array('style', 'xmlns', 'formaction', 'form', 'xlink:href');
 
 		if ($is_image === TRUE)
 		{
-- 
cgit v1.2.3-24-g4f1b


From ee7633c9f883513fa556240d60694f075d8dc056 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 18:47:20 +0200
Subject: Fix syntax errors

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 40717c26d..a753aa021 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -70,8 +70,8 @@ class CI_Security {
 		'&colon;'	=> ':',
 		'&lpar;'	=> '(',
 		'&rpar;'	=> ')',
-		'&newline;',	=> "\n",
-		'&tab;',	=> "\t"
+		'&newline;'	=> "\n",
+		'&tab;'		=> "\t"
 	);
 
 	/**
-- 
cgit v1.2.3-24-g4f1b


From c715b22eb153aa702b07a158357ee2b13a24cf67 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 19:11:31 +0200
Subject: CI_Security: Add <select> and <keygen> tags to the list of 'naughty'
 HTML elements

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index a753aa021..e08572525 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -469,7 +469,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
-- 
cgit v1.2.3-24-g4f1b


From c53a1784d742f1ade62161fcdb913da8e33c0c5c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 24 Jan 2014 19:32:48 +0200
Subject: CI_Security: Also add <svg> to 'naughty' HTML elements

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index e08572525..49e5ab411 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -469,7 +469,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|svg|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
-- 
cgit v1.2.3-24-g4f1b


From 12445caa95a62842f726212aaa09f897f9018f11 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 25 Jan 2014 01:55:52 +0200
Subject: Partially fix #2667

---
 system/core/Security.php | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 49e5ab411..95f65e579 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -433,6 +433,12 @@ class CI_Security {
 		 * We used to do some version comparisons and use of stripos for PHP5,
 		 * but it is dog slow compared to these simplified non-capturing
 		 * preg_match(), especially if the pattern exists in the string
+		 *
+		 * Note: It was reported that not only space characters, but all in
+		 * the following pattern can be parsed as separators between a tag name
+		 * and its attributes: [\d\s"\'`;,\/\=\(\x00\x0B\x09\x0C]
+		 * ... however, remove_invisible_characters() above already strips the
+		 * hex-encoded ones, so we'll skip them below.
 		 */
 		do
 		{
@@ -440,12 +446,12 @@ class CI_Security {
 
 			if (preg_match('/<a/i', $str))
 			{
-				$str = preg_replace_callback('#<a\s+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+				$str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
 			}
 
 			if (preg_match('/<img/i', $str))
 			{
-				$str = preg_replace_callback('#<img\s+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
+				$str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
 			}
 
 			if (preg_match('/script|xss/i', $str))
-- 
cgit v1.2.3-24-g4f1b


From adf3bde5f8a196013acc615e5bfeedd0ef6417b8 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 25 Jan 2014 16:59:17 +0200
Subject: Re-add 'on\w*' to evil attributes (rel #2667)

---
 system/core/Security.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 95f65e579..93613cc78 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -667,8 +667,7 @@ class CI_Security {
 	 */
 	protected function _remove_evil_attributes($str, $is_image)
 	{
-		// Formaction, style, and xmlns
-		$evil_attributes = array('style', 'xmlns', 'formaction', 'form', 'xlink:href');
+		$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction', 'form', 'xlink:href');
 
 		if ($is_image === TRUE)
 		{
-- 
cgit v1.2.3-24-g4f1b


From b69103e8ab0c646d01f5e97ef6a255293de1e60e Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 25 Jan 2014 19:23:47 +0200
Subject: Fix CI_Security::_remove_evil_attributes() being way too aggressive

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 93613cc78..15cb37620 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -683,7 +683,7 @@ class CI_Security {
 			$attribs = array();
 
 			// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
-			preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
@@ -691,7 +691,7 @@ class CI_Security {
 			}
 
 			// find occurrences of illegal attribute strings without quotes
-			preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
-- 
cgit v1.2.3-24-g4f1b


From dbd999f33374f6541f167e3d77a3e80a991b301a Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 25 Jan 2014 22:55:21 +0200
Subject: Previous commit caused side effects ...

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 15cb37620..8acab01fc 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -683,7 +683,7 @@ class CI_Security {
 			$attribs = array();
 
 			// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
-			preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
@@ -691,7 +691,7 @@ class CI_Security {
 			}
 
 			// find occurrences of illegal attribute strings without quotes
-			preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
-- 
cgit v1.2.3-24-g4f1b


From 505431ab4873e071ceabffdc1a8ce363c0c8dcbc Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 25 Jan 2014 22:56:49 +0200
Subject: Add <math> to 'naughty' HTML elements

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 8acab01fc..cbff38b30 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -475,7 +475,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|video|svg|xml|xss';
+		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
-- 
cgit v1.2.3-24-g4f1b


From a30a717e15895631cafe232b13777870a693742d Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 10 Feb 2014 09:17:25 +0200
Subject: CI_Security: Filter jscript, wscript, vbs, confirm, prompt the same
 way as javascript, alert

---
 system/core/Security.php | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index cbff38b30..93e6a3ba5 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -147,6 +147,9 @@ class CI_Security {
 		'(document|(document\.)?window)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
+		'wscript\s*:', // IE
+		'jcript\s*:', // IE
+		'vbs\s*:', // IE
 		'Redirect\s+30\d',
 		"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
 	);
@@ -415,8 +418,9 @@ class CI_Security {
 		 * These words are compacted back to their correct state.
 		 */
 		$words = array(
-			'javascript', 'expression', 'vbscript', 'script', 'base64',
-			'applet', 'alert', 'document', 'write', 'cookie', 'window'
+			'javascript', 'expression', 'vbscript', 'jscript', 'wscript',
+			'vbs', 'script', 'base64', 'applet', 'alert', 'document',
+			'write', 'cookie', 'window', 'confirm', 'prompt'
 		);
 
 		foreach ($words as $word)
@@ -475,7 +479,7 @@ class CI_Security {
 		 * So this: <blink>
 		 * Becomes: &lt;blink&gt;
 		 */
-		$naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss';
+		$naughty = 'alert|prompt|confirm|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|button|select|isindex|layer|link|meta|keygen|object|plaintext|style|script|textarea|title|math|video|svg|xml|xss';
 		$str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str);
 
 		/*
@@ -490,7 +494,7 @@ class CI_Security {
 		 * For example:	eval('some code')
 		 * Becomes:	eval&#40;'some code'&#41;
 		 */
-		$str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si',
+		$str = preg_replace('#(alert|prompt|confirm|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si',
 					'\\1\\2&#40;\\3&#41;',
 					$str);
 
@@ -745,7 +749,7 @@ class CI_Security {
 	protected function _js_link_removal($match)
 	{
 		return str_replace($match[1],
-					preg_replace('#href=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
+					preg_replace('#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
 							'',
 							$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
 					),
@@ -770,7 +774,7 @@ class CI_Security {
 	protected function _js_img_removal($match)
 	{
 		return str_replace($match[1],
-					preg_replace('#src=.*?(?:alert\(|alert&\#40;|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
+					preg_replace('#src=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
 							'',
 							$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
 					),
-- 
cgit v1.2.3-24-g4f1b


From 3b9990c43f0951674b1c8bc1dd05ac0419f1e63c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 10 Feb 2014 09:23:26 +0200
Subject: CI_Security: Expect a backslash as a tag separator

---
 system/core/Security.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 93e6a3ba5..062c828a7 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -450,12 +450,12 @@ class CI_Security {
 
 			if (preg_match('/<a/i', $str))
 			{
-				$str = preg_replace_callback('#<a[\s\d"\'`;/=,\(]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
+				$str = preg_replace_callback('#<a[\s\d"\'`;/=,\(\\\\]+([^>]*?)(?:>|$)#si', array($this, '_js_link_removal'), $str);
 			}
 
 			if (preg_match('/<img/i', $str))
 			{
-				$str = preg_replace_callback('#<img[\s\d"\'`;/=,\(]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
+				$str = preg_replace_callback('#<img[\s\d"\'`;/=,\(\\\\]+([^>]*?)(?:\s?/?>|$)#si', array($this, '_js_img_removal'), $str);
 			}
 
 			if (preg_match('/script|xss/i', $str))
-- 
cgit v1.2.3-24-g4f1b


From f7f9dca050eb439028797a62eb2d4cac89daf5c5 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 10 Feb 2014 12:41:00 +0200
Subject: [ci skip] Fix a typo

---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 062c828a7..75c994ae1 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -148,7 +148,7 @@ class CI_Security {
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
 		'wscript\s*:', // IE
-		'jcript\s*:', // IE
+		'jscript\s*:', // IE
 		'vbs\s*:', // IE
 		'Redirect\s+30\d',
 		"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
-- 
cgit v1.2.3-24-g4f1b


From 29e12641a1bb952f493462db6757ae12c7da1f2c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 10 Feb 2014 13:24:44 +0200
Subject: CI_Security: URL-decode until possible

---
 system/core/Security.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index 75c994ae1..beb7f56e0 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -359,7 +359,11 @@ class CI_Security {
 		 *
 		 * Note: Use rawurldecode() so it does not remove plus signs
 		 */
-		$str = rawurldecode($str);
+		do
+		{
+			$str = rawurldecode($str);
+		}
+		while (preg_match('/%[0-9a-f]{2,}/i', $str));
 
 		/*
 		 * Convert character entities to ASCII
-- 
cgit v1.2.3-24-g4f1b


From 871754af60251993d640981e107d2def5f2db396 Mon Sep 17 00:00:00 2001
From: darwinel <kmorssink@gmail.com>
Date: Tue, 11 Feb 2014 17:34:57 +0100
Subject: 2013 > 2014

Update copyright notices from 2013 to 2014.
And update one calendar example in user_guide from year 2013/2014 to
2014/2015.
---
 system/core/Security.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'system/core/Security.php')

diff --git a/system/core/Security.php b/system/core/Security.php
index beb7f56e0..faa52d746 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -18,7 +18,7 @@
  *
  * @package		CodeIgniter
  * @author		EllisLab Dev Team
- * @copyright	Copyright (c) 2008 - 2013, EllisLab, Inc. (http://ellislab.com/)
+ * @copyright	Copyright (c) 2008 - 2014, EllisLab, Inc. (http://ellislab.com/)
  * @license		http://opensource.org/licenses/OSL-3.0 Open Software License (OSL 3.0)
  * @link		http://codeigniter.com
  * @since		Version 1.0
-- 
cgit v1.2.3-24-g4f1b