From 245038d6a5121f396b231d268d3ca5edac9c105a Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Thu, 15 May 2008 21:58:07 +0000 Subject: addition xss protection against certain data urls, stripping of anything sent with utf-7 encoding --- system/libraries/Input.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'system/libraries/Input.php') diff --git a/system/libraries/Input.php b/system/libraries/Input.php index e6ac460b0..c1659ab8d 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -747,6 +747,16 @@ class CI_Input { * */ $event_handlers = array('onblur','onchange','onclick','onfocus','onload','onmouseover','onmouseup','onmousedown','onselect','onsubmit','onunload','onkeypress','onkeydown','onkeyup','onresize', 'xmlns'); + + if ($is_image === TRUE) + { + /* + * Adobe Photoshop puts XML metadata into JFIF images, including namespacing, + * so we have to allow this for images. -Paul + */ + unset($event_handlers[array_search('xmlns', $event_handlers)]); + } + $str = preg_replace("#<([^>]+)(".implode('|', $event_handlers).")([^>]*)>#iU", "<\\1\\2\\3>", $str); /* @@ -896,7 +906,7 @@ class CI_Input { */ function _js_link_removal($match) { - return preg_replace("#.*?#si", "", $match[0]); + return preg_replace("#.*?#si", "", $match[0]); } /** @@ -913,7 +923,7 @@ class CI_Input { */ function _js_img_removal($match) { - return preg_replace("##si", "", $match[0]); + return preg_replace("##si", "", $match[0]); } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b