From 25ca23533e3efe59754145c91037fae171fb4862 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 24 Jan 2014 18:46:29 +0200 Subject: CI_Security: Add 'form' and 'xlink:href' to evil attributes --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system/core') diff --git a/system/core/Security.php b/system/core/Security.php index 32ecbbad3..40717c26d 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -662,7 +662,7 @@ class CI_Security { protected function _remove_evil_attributes($str, $is_image) { // Formaction, style, and xmlns - $evil_attributes = array('style', 'xmlns', 'formaction'); + $evil_attributes = array('style', 'xmlns', 'formaction', 'form', 'xlink:href'); if ($is_image === TRUE) { -- cgit v1.2.3-24-g4f1b