From b69103e8ab0c646d01f5e97ef6a255293de1e60e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 25 Jan 2014 19:23:47 +0200 Subject: Fix CI_Security::_remove_evil_attributes() being way too aggressive --- system/core/Security.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'system/core/Security.php') diff --git a/system/core/Security.php b/system/core/Security.php index 93613cc78..15cb37620 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -683,7 +683,7 @@ class CI_Security { $attribs = array(); // find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes) - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { @@ -691,7 +691,7 @@ class CI_Security { } // find occurrences of illegal attribute strings without quotes - preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); + preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER); foreach ($matches as $attr) { -- cgit v1.2.3-24-g4f1b