From c67c3fbb8e16b1ffb79c72bb91db04fcb005b2b1 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 22 Jan 2014 13:26:00 +0200
Subject: CI_Security::_decode_entity() to replace dangerous HTML5 entities

Related to issue #2771
---
 system/core/Security.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'system')

diff --git a/system/core/Security.php b/system/core/Security.php
index eb2695801..d6356f869 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -61,6 +61,17 @@ class CI_Security {
 		'%3d'		// =
 	);
 
+	/**
+	 * HTML5 entities
+	 *
+	 * @var	array
+	 */
+	public $html5_entities = array(
+		'&colon;'	=> ':',
+		'&lpar;'	=> '(',
+		'&rpar;'	=> ')'
+	);
+
 	/**
 	 * XSS Hash
 	 *
@@ -810,7 +821,14 @@ class CI_Security {
 	 */
 	protected function _decode_entity($match)
 	{
-		return $this->entity_decode($match[0], strtoupper(config_item('charset')));
+		// entity_decode() won't convert dangerous HTML5 entities
+		// (it could, but ENT_HTML5 is only available since PHP 5.4),
+		// so we'll do that here
+		return str_ireplace(
+			array_keys($this->html5_entities),
+			array_values($this->html5_entities),
+			$this->entity_decode($match[0], strtoupper(config_item('charset')))
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b