From e8e18fe1659c036c5419b674c7992fff24c0ea27 Mon Sep 17 00:00:00 2001 From: Derek Jones Date: Mon, 30 Jun 2008 23:27:31 +0000 Subject: Changed regex for onfoo event handlers to prevent unwanted matching of text such as locatiON, cONtent, etc. --- system/libraries/Input.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'system/libraries/Input.php') diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 4d2e9e298..ac6b864e9 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -705,7 +705,7 @@ class CI_Input { * but it's unlikely to be a problem. * */ - $event_handlers = array('on\w*','xmlns'); + $event_handlers = array('[^a-z]on\w*','xmlns'); if ($is_image === TRUE) { @@ -715,9 +715,9 @@ class CI_Input { */ unset($event_handlers[array_search('xmlns', $event_handlers)]); } - - $str = preg_replace("#<([^><]+)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str); - + + $str = preg_replace("#<([^><]+?)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str); + /* * Sanitize naughty HTML elements * -- cgit v1.2.3-24-g4f1b