From 1bbc5644b0c306ff72dc1228b169db56902fc031 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 7 Jan 2014 12:45:27 +0200
Subject: Fix #2268 (manually implementing PR #2269)

---
 system/core/Security.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'system')

diff --git a/system/core/Security.php b/system/core/Security.php
index 9423f825c..0944fef92 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -117,7 +117,6 @@ class CI_Security {
 		'document.write'	=> '[removed]',
 		'.parentNode'		=> '[removed]',
 		'.innerHTML'		=> '[removed]',
-		'window.location'	=> '[removed]',
 		'-moz-binding'		=> '[removed]',
 		'<!--'				=> '&lt;!--',
 		'-->'				=> '--&gt;',
@@ -132,6 +131,7 @@ class CI_Security {
 	 */
 	protected $_never_allowed_regex = array(
 		'javascript\s*:',
+		'(document|(document\.)?window)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
 		'Redirect\s+302',
@@ -648,8 +648,8 @@ class CI_Security {
 	 */
 	protected function _remove_evil_attributes($str, $is_image)
 	{
-		// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
-		$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
+		// Formaction, style, and xmlns
+		$evil_attributes = array('style', 'xmlns', 'formaction');
 
 		if ($is_image === TRUE)
 		{
-- 
cgit v1.2.3-24-g4f1b