From f50fc73cf63136b720c2bd247175f236d5b27eaa Mon Sep 17 00:00:00 2001 From: brian978 Date: Sat, 8 Dec 2012 23:22:26 +0200 Subject: All the HEX code must be replaced or else some XSS attacks can be successful --- system/core/Security.php | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 4f2185db5..220188edc 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -526,9 +526,17 @@ class CI_Security { $charset = config_item('charset'); } - $str = html_entity_decode($str, ENT_COMPAT, $charset); - $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str); - return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str); + do + { + $matches = $matches1 = 0; + + $str = html_entity_decode($str, ENT_COMPAT, $charset); + $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str, -1, $matches); + $str = preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str, -1, $matches1); + } + while($matches || $matches1); + + return $str; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 0a83fcc748ef29e644bf9e8cac4d7dd9a7408d5f Mon Sep 17 00:00:00 2001 From: brian978 Date: Mon, 10 Dec 2012 13:05:06 +0200 Subject: Fixed bug with regexp that matched tags --- system/core/Security.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'system') diff --git a/system/core/Security.php b/system/core/Security.php index 220188edc..635f9ff31 100644 --- a/system/core/Security.php +++ b/system/core/Security.php @@ -329,7 +329,7 @@ class CI_Security { * these are the ones that will pose security problems. */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - $str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str); + $str = preg_replace_callback('/<\w+.*?=.*?>\b/si', array($this, '_decode_entity'), $str); // Remove Invisible Characters Again! $str = remove_invisible_characters($str); -- cgit v1.2.3-24-g4f1b