From ab32a428c572f859010e990e621df4f34b9dc606 Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Mon, 4 Feb 2008 22:02:11 +0000
Subject: changed URL decoding implementation of xss_clean() to use
 rawurldecode() to discontinue misconversion of characters to bad entities,
 and to continue avoidance of unwanted removal of + signs

---
 system/libraries/Input.php | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

(limited to 'system/libraries/Input.php')

diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 1874b3790..5832d2d80 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -556,14 +556,11 @@ class CI_Input {
 		 *
 		 * <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
 		 *
-		 * Note: Normally urldecode() would be easier but it removes plus signs
+		 * Note: Use rawurldecode() so it does not remove plus signs
 		 *
 		 */	
-		$str = preg_replace("/(%20)+/", '9u3iovBnRThju941s89rKozm', $str);
-		$str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
-		$str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str); 
-		$str = str_replace('9u3iovBnRThju941s89rKozm', "%20", $str);	
-				
+		$str = rawurldecode($str);
+		
 		/*
 		 * Convert character entities to ASCII 
 		 *
-- 
cgit v1.2.3-24-g4f1b