From 088e57db3808f78ee89def94c6ce95b571a88427 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 17 Sep 2015 15:55:57 +0300 Subject: Don't allow open-ended tags to pass through xss_clean() This was a regression caused by the previous commit --- system/core/Security.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index 08cfcbe8f..a30613386 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -492,7 +492,7 @@ class CI_Security { * Becomes: <blink> */ $pattern = '#' - .'<((?/*\s*)(?[a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character + .'<((?/*\s*)(?[a-z0-9]+)(?=[^a-z0-9]|$)' // tag start and name, followed by a non-tag character .'[^\s\042\047a-z0-9>/=]*' // a valid attribute character immediately after the tag would count as a separator // optional attributes .'(?(?:[\s\042\047/=]*' // non-attribute characters, excluding > (tag close) for obvious reasons @@ -502,7 +502,7 @@ class CI_Security { .'(?:\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value .')?' // end optional attribute-value group .')*)' // end optional attributes group - .'[^>]*)>#isS'; + .'[^>]*)(?\>)?#isS'; // Note: It would be nice to optimize this for speed, BUT // only matching the naughty elements here results in @@ -790,8 +790,13 @@ class CI_Security { 'on\w+', 'style', 'xmlns', 'formaction', 'form', 'xlink:href', 'FSCommand', 'seekSegmentTime' ); + // First, escape unclosed tags + if (empty($matches['closeTag'])) + { + return '<'.$matches[1]; + } // Is the element that we caught naughty? If so, escape it - if (in_array(strtolower($matches['tagName']), $naughty_tags, TRUE)) + elseif (in_array(strtolower($matches['tagName']), $naughty_tags, TRUE)) { return '<'.$matches[1].'>'; } @@ -827,7 +832,7 @@ class CI_Security { // Note: This will strip some non-space characters and/or // reduce multiple spaces between attributes. - return '<'.$matches['closeTag'].$matches['tagName'].' '.trim($matches['attributes']).'>'; + return '<'.$matches['slash'].$matches['tagName'].' '.trim($matches['attributes']).'>'; } } -- cgit v1.2.3-24-g4f1b