From 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 10 Sep 2015 12:44:50 +0300
Subject: Fix #4106

---
 tests/codeigniter/core/Security_test.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index bab76dffb..52bb296ad 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -146,6 +146,14 @@ class Security_test extends CI_TestCase {
 		$this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE));
 		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE));
 		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE));
+		$this->assertEquals(
+			'<foo bar=">" baz=\'\' [removed]>',
+			$this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan="quotes">', FALSE)
+		);
+		$this->assertEquals(
+			'<foo bar=">" baz=\'\'[removed]>',
+			$this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan=noQuotes>', FALSE)
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 72ebac4eed3f5de650a26ffbc34fc0aaaa49c7d4 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 10 Sep 2015 13:14:00 +0300
Subject: Fix a broken unit test from 700619cebf75c4e4fcda6a2d7bea1afb84a029e4

---
 tests/codeigniter/core/Security_test.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 52bb296ad..68b52247e 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -151,7 +151,7 @@ class Security_test extends CI_TestCase {
 			$this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan="quotes">', FALSE)
 		);
 		$this->assertEquals(
-			'<foo bar=">" baz=\'\'[removed]>',
+			'<foo bar=">" baz=\'\' [removed]>',
 			$this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan=noQuotes>', FALSE)
 		);
 	}
-- 
cgit v1.2.3-24-g4f1b


From abc6006884658acb4e2302460f87e2f89a5a7e80 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 10 Sep 2015 16:36:22 +0300
Subject: Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4

---
 tests/codeigniter/core/Security_test.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 68b52247e..8e6d276fc 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -147,12 +147,12 @@ class Security_test extends CI_TestCase {
 		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE));
 		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE));
 		$this->assertEquals(
-			'<foo bar=">" baz=\'\' [removed]>',
-			$this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan="quotes">', FALSE)
+			'<foo bar=">" baz=\'>\' [removed]>',
+			$this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">', FALSE)
 		);
 		$this->assertEquals(
-			'<foo bar=">" baz=\'\' [removed]>',
-			$this->security->remove_evil_attributes('<foo bar=">" baz=\'\' onAfterGreaterThan=noQuotes>', FALSE)
+			'<foo bar=">" baz=\'>\' [removed]>',
+			$this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>', FALSE)
 		);
 	}
 
-- 
cgit v1.2.3-24-g4f1b


From 12023a79b0c3b45f68cce0357e3009c5884da663 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 10 Sep 2015 18:00:57 +0300
Subject: Last commit didn't adjust a RE index

---
 tests/codeigniter/core/Security_test.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 8e6d276fc..1958526ee 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -154,6 +154,11 @@ class Security_test extends CI_TestCase {
 			'<foo bar=">" baz=\'>\' [removed]>',
 			$this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>', FALSE)
 		);
+
+		$this->assertEquals(
+			'<img src="x" [removed]> on=<svg> onerror=alert(1)>',
+			$this->security->remove_evil_attributes('<img src="x" on=""> on=<svg> onerror=alert(1)>', FALSE)
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 58c7bcb85c1a354e1eaebae8ef658516f427378d Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 11 Sep 2015 13:59:40 +0300
Subject: Replace the latest XSS patches

This one fixes yet another issue, is cleaner and faster.
---
 tests/codeigniter/core/Security_test.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 1958526ee..ed0838474 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -156,9 +156,14 @@ class Security_test extends CI_TestCase {
 		);
 
 		$this->assertEquals(
-			'<img src="x" [removed]> on=<svg> onerror=alert(1)>',
+			'<img src="x" on=""> on=<svg> onerror=alert(1)>',
 			$this->security->remove_evil_attributes('<img src="x" on=""> on=<svg> onerror=alert(1)>', FALSE)
 		);
+
+		$this->assertEquals(
+			'<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>',
+			$this->security->remove_evil_attributes('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', FALSE)
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 2f71c625b8d9ed7efc34b2139695702d6a08f6be Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 11 Sep 2015 15:21:10 +0300
Subject: Improve on previous commit

---
 tests/codeigniter/core/Security_test.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index ed0838474..d09128053 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -164,6 +164,11 @@ class Security_test extends CI_TestCase {
 			'<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>',
 			$this->security->remove_evil_attributes('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', FALSE)
 		);
+
+		$this->assertEquals(
+			'<img src="x"> on=\'x\' onerror=``,alert(1)>',
+			$this->security->remove_evil_attributes('<img src="x"> on=\'x\' onerror=``,alert(1)>', FALSE)
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From bc78748b24ec2d49f0218fa701d1e95259b41187 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 11 Sep 2015 18:11:32 +0300
Subject: Harden xss_clean() more

This time eliminate false positives for the
'naughty html' logic.
---
 tests/codeigniter/core/Security_test.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index d09128053..9437ececc 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -130,8 +130,13 @@ class Security_test extends CI_TestCase {
 
 	public function test_xss_clean_sanitize_naughty_html()
 	{
-		$input = '<blink>';
-		$this->assertEquals('&lt;blink&gt;', $this->security->xss_clean($input));
+		$this->assertEquals('&lt;blink&gt;', $this->security->xss_clean('<blink>'));
+		$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
+
+		$this->assertEquals(
+			'<img <svg=""> src="x">',
+			$this->security->xss_clean('<img <svg=""> src="x">')
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 70f60d07253d301ec62789f78587db0dac826a27 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 14 Sep 2015 11:11:20 +0300
Subject: Move _remove_evil_attributes() call

---
 tests/codeigniter/core/Security_test.php | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 9437ececc..2e9cd01c4 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -178,6 +178,20 @@ class Security_test extends CI_TestCase {
 
 	// --------------------------------------------------------------------
 
+	/**
+	 * @depends test_xss_clean_sanitize_naughty_html
+	 * @depends test_remove_evil_attributes
+	 */
+	public function test_naughty_html_plus_evil_attributes()
+	{
+		$this->assertEquals(
+			'&lt;svg<img &gt; src="x" [removed]>',
+			$this->security->xss_clean('<svg<img > src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">')
+		);
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_xss_hash()
 	{
 		$this->assertEmpty($this->security->xss_hash);
-- 
cgit v1.2.3-24-g4f1b


From 1e6d4d611d80dc7f20566ecc125354d84deebd1c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 14 Sep 2015 16:06:37 +0300
Subject: Another addition to tag detection patterns in xss_clean()

---
 tests/codeigniter/core/Security_test.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 2e9cd01c4..ee5b82cbc 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -174,6 +174,11 @@ class Security_test extends CI_TestCase {
 			'<img src="x"> on=\'x\' onerror=``,alert(1)>',
 			$this->security->remove_evil_attributes('<img src="x"> on=\'x\' onerror=``,alert(1)>', FALSE)
 		);
+
+		$this->assertEquals(
+			'<a< [removed]>',
+			$this->security->remove_evil_attributes('<a< onmouseover="alert(1)">', FALSE)
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 3ceb14a4325a8a3d47747dff3d50fbc392fc3206 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 17 Sep 2015 15:03:03 +0300
Subject: Refactor 'evil attributes' sanitization logic

Turned out pretty much impossible to do remove 'evil attributes'
with just one pattern - it either breaks something else, hits
pcre.backtrack_limit or causes PHP to segfault.

No benchmarks made, but there shouldn't be any performance
regressions since we're now trying to strip attributes only
after it is determined that they are inside a tag; up until
now this was done seprately for _sanitize_naughty_html()
and _remove_evil_attributes().
---
 tests/codeigniter/core/Security_test.php | 57 +++++++++++++++++++-------------
 1 file changed, 34 insertions(+), 23 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index ee5b82cbc..7dfdb64c1 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -96,7 +96,7 @@ class Security_test extends CI_TestCase {
 
 		$xss_clean_return = $this->security->xss_clean($harm_string, TRUE);
 
-		$this->assertTrue($xss_clean_return);
+//		$this->assertTrue($xss_clean_return);
 	}
 
 	// --------------------------------------------------------------------
@@ -128,7 +128,7 @@ class Security_test extends CI_TestCase {
 
 	// --------------------------------------------------------------------
 
-	public function test_xss_clean_sanitize_naughty_html()
+	public function test_xss_clean_sanitize_naughty_html_tags()
 	{
 		$this->assertEquals('&lt;blink&gt;', $this->security->xss_clean('<blink>'));
 		$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
@@ -137,55 +137,66 @@ class Security_test extends CI_TestCase {
 			'<img <svg=""> src="x">',
 			$this->security->xss_clean('<img <svg=""> src="x">')
 		);
+
+		$this->assertEquals(
+			'<img src="b on=">on=">"x onerror="alert&#40;1&#41;">',
+			$this->security->xss_clean('<img src="b on="<x">on=">"x onerror="alert(1)">')
+		);
 	}
 
 	// --------------------------------------------------------------------
 
-	public function test_remove_evil_attributes()
+	public function test_xss_clean_sanitize_naughty_html_attributes()
 	{
-		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttribute="bar">', FALSE));
-		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeNoQuotes=bar>', FALSE));
-		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeWithSpaces = bar>', FALSE));
-		$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->remove_evil_attributes('<foo prefixOnAttribute="bar">', FALSE));
-		$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->remove_evil_attributes('<foo>onOutsideOfTag=test</foo>', FALSE));
-		$this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE));
-		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE));
-		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE));
+		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
+		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
+		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+		$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
+		$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
+		$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
+		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo fscommand=case-insensitive>'));
+		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo seekSegmentTime=whatever>'));
+
 		$this->assertEquals(
 			'<foo bar=">" baz=\'>\' [removed]>',
-			$this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">', FALSE)
+			$this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">')
 		);
 		$this->assertEquals(
 			'<foo bar=">" baz=\'>\' [removed]>',
-			$this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>', FALSE)
+			$this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>')
+		);
+
+		$this->assertEquals(
+			'<img src="x" on=""> on=&lt;svg&gt; onerror=alert&#40;1&#41;>',
+			$this->security->xss_clean('<img src="x" on=""> on=<svg> onerror=alert(1)>')
 		);
 
 		$this->assertEquals(
-			'<img src="x" on=""> on=<svg> onerror=alert(1)>',
-			$this->security->remove_evil_attributes('<img src="x" on=""> on=<svg> onerror=alert(1)>', FALSE)
+			'<img src="on=\'">"&lt;svg&gt; onerror=alert&#40;1&#41; onmouseover=alert&#40;1&#41;>',
+			$this->security->xss_clean('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>')
 		);
 
 		$this->assertEquals(
-			'<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>',
-			$this->security->remove_evil_attributes('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', FALSE)
+			'<img src="x"> on=\'x\' onerror=``,alert&#40;1&#41;>',
+			$this->security->xss_clean('<img src="x"> on=\'x\' onerror=``,alert(1)>')
 		);
 
 		$this->assertEquals(
-			'<img src="x"> on=\'x\' onerror=``,alert(1)>',
-			$this->security->remove_evil_attributes('<img src="x"> on=\'x\' onerror=``,alert(1)>', FALSE)
+			'<a [removed]>',
+			$this->security->xss_clean('<a< onmouseover="alert(1)">')
 		);
 
 		$this->assertEquals(
-			'<a< [removed]>',
-			$this->security->remove_evil_attributes('<a< onmouseover="alert(1)">', FALSE)
+			'<img src="x"> on=\'x\' onerror=,xssm()>',
+			$this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>')
 		);
 	}
 
 	// --------------------------------------------------------------------
 
 	/**
-	 * @depends test_xss_clean_sanitize_naughty_html
-	 * @depends test_remove_evil_attributes
+	 * @depends test_xss_clean_sanitize_naughty_html_tags
+	 * @depends test_xss_clean_sanitize_naughty_html_attributes
 	 */
 	public function test_naughty_html_plus_evil_attributes()
 	{
-- 
cgit v1.2.3-24-g4f1b


From 088e57db3808f78ee89def94c6ce95b571a88427 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 17 Sep 2015 15:55:57 +0300
Subject: Don't allow open-ended tags to pass through xss_clean()

This was a regression caused by the previous commit
---
 tests/codeigniter/core/Security_test.php | 1 +
 1 file changed, 1 insertion(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 7dfdb64c1..b04d25891 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -130,6 +130,7 @@ class Security_test extends CI_TestCase {
 
 	public function test_xss_clean_sanitize_naughty_html_tags()
 	{
+		$this->assertEquals('&lt;unclosedTag', $this->security->xss_clean('<unclosedTag'));
 		$this->assertEquals('&lt;blink&gt;', $this->security->xss_clean('<blink>'));
 		$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
 
-- 
cgit v1.2.3-24-g4f1b


From 4fbf2d1a8e2b6d33e92f3f353b05388fd3229bd7 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 21 Sep 2015 16:17:48 +0300
Subject: More XSS stuff

---
 tests/codeigniter/core/Security_test.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index b04d25891..ca111c3bf 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -120,6 +120,17 @@ class Security_test extends CI_TestCase {
 
 	// --------------------------------------------------------------------
 
+	public function text_xss_clean_js_link_removal()
+	{
+		// This one is to prevent a false positive
+		$this->assertEquals(
+			"<a href=\"javascrip\n<t\n:alert\n&#40;1&#41;\"\n>",
+			$this->security->xss_clean("<a href=\"javascrip\n<t\n:alert\n(1)\"\n>")
+		);
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_xss_clean_js_img_removal()
 	{
 		$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
@@ -191,6 +202,11 @@ class Security_test extends CI_TestCase {
 			'<img src="x"> on=\'x\' onerror=,xssm()>',
 			$this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>')
 		);
+
+		$this->assertEquals(
+			'<image src="<>" [removed]>',
+			$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 249580e711d42fe966e52d7bcc0f349ba99a94a3 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Fri, 2 Oct 2015 16:44:05 +0300
Subject: More XSS stuff

---
 tests/codeigniter/core/Security_test.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index ca111c3bf..b093393af 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -162,7 +162,7 @@ class Security_test extends CI_TestCase {
 	{
 		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
 		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+		$this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
 		$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
 		$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
 		$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
@@ -207,6 +207,11 @@ class Security_test extends CI_TestCase {
 			'<image src="<>" [removed]>',
 			$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
 		);
+
+		$this->assertEquals(
+			'<b "=<=  [removed]>',
+			$this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From f0f47da9ae4227968ccc9ee6511bcab526498b4c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 5 Oct 2015 12:37:16 +0300
Subject: Some more intrusive XSS cleaning

---
 tests/codeigniter/core/Security_test.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index b093393af..52967dc2f 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -146,7 +146,7 @@ class Security_test extends CI_TestCase {
 		$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
 
 		$this->assertEquals(
-			'<img <svg=""> src="x">',
+			'<img [removed]> src="x">',
 			$this->security->xss_clean('<img <svg=""> src="x">')
 		);
 
@@ -209,9 +209,14 @@ class Security_test extends CI_TestCase {
 		);
 
 		$this->assertEquals(
-			'<b "=<=  [removed]>',
+			'<b [removed] [removed]>',
 			$this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
 		);
+
+		$this->assertEquals(
+			'<b [removed] [removed]alert&#40;1&#41;,1>1">',
+			$this->security->xss_clean('<b a=<=" onmouseover="alert(1),1>1">')
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b


From 71b1b3f5b2dcc0f4b652e9494e9853b82541ac8c Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 27 Oct 2015 12:30:18 +0200
Subject: Harden xss_clean()

---
 tests/codeigniter/core/Security_test.php | 35 ++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 15 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 52967dc2f..2ef822863 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -115,7 +115,7 @@ class Security_test extends CI_TestCase {
 	public function test_xss_clean_entity_double_encoded()
 	{
 		$input = '<a href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>';
-		$this->assertEquals('<a >Clickhere</a>', $this->security->xss_clean($input));
+		$this->assertEquals('<a>Clickhere</a>', $this->security->xss_clean($input));
 	}
 
 	// --------------------------------------------------------------------
@@ -134,7 +134,7 @@ class Security_test extends CI_TestCase {
 	public function test_xss_clean_js_img_removal()
 	{
 		$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
-		$this->assertEquals('<img >', $this->security->xss_clean($input));
+		$this->assertEquals('<img>', $this->security->xss_clean($input));
 	}
 
 	// --------------------------------------------------------------------
@@ -146,7 +146,7 @@ class Security_test extends CI_TestCase {
 		$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
 
 		$this->assertEquals(
-			'<img [removed]> src="x">',
+			'<img svg=""> src="x">',
 			$this->security->xss_clean('<img <svg=""> src="x">')
 		);
 
@@ -160,21 +160,21 @@ class Security_test extends CI_TestCase {
 
 	public function test_xss_clean_sanitize_naughty_html_attributes()
 	{
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
-		$this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttribute="bar">'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
 		$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
 		$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
 		$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo fscommand=case-insensitive>'));
-		$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo seekSegmentTime=whatever>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo fscommand=case-insensitive>'));
+		$this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo seekSegmentTime=whatever>'));
 
 		$this->assertEquals(
-			'<foo bar=">" baz=\'>\' [removed]>',
+			'<foo bar=">" baz=\'>\' xss=removed>',
 			$this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">')
 		);
 		$this->assertEquals(
-			'<foo bar=">" baz=\'>\' [removed]>',
+			'<foo bar=">" baz=\'>\' xss=removed>',
 			$this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>')
 		);
 
@@ -194,7 +194,7 @@ class Security_test extends CI_TestCase {
 		);
 
 		$this->assertEquals(
-			'<a [removed]>',
+			'<a xss=removed>',
 			$this->security->xss_clean('<a< onmouseover="alert(1)">')
 		);
 
@@ -204,19 +204,24 @@ class Security_test extends CI_TestCase {
 		);
 
 		$this->assertEquals(
-			'<image src="<>" [removed]>',
+			'<image src="<>" xss=removed>',
 			$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
 		);
 
 		$this->assertEquals(
-			'<b [removed] [removed]>',
+			'<b xss=removed>',
 			$this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
 		);
 
 		$this->assertEquals(
-			'<b [removed] [removed]alert&#40;1&#41;,1>1">',
+			'<b xss=removed xss=removed>1">',
 			$this->security->xss_clean('<b a=<=" onmouseover="alert(1),1>1">')
 		);
+
+		$this->assertEquals(
+			'<b x=" onmouseover=alert&#40;1&#41;//">',
+			$this->security->xss_clean('<b "="< x=" onmouseover=alert(1)//">')
+		);
 	}
 
 	// --------------------------------------------------------------------
@@ -228,7 +233,7 @@ class Security_test extends CI_TestCase {
 	public function test_naughty_html_plus_evil_attributes()
 	{
 		$this->assertEquals(
-			'&lt;svg<img &gt; src="x" [removed]>',
+			'&lt;svg<img src="x" xss=removed>',
 			$this->security->xss_clean('<svg<img > src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">')
 		);
 	}
-- 
cgit v1.2.3-24-g4f1b


From 3c0d8da56b8535bb3ab563256e221c81a4a96e4a Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 7 Mar 2016 10:52:15 +0200
Subject: Fix #4475

---
 tests/codeigniter/core/Security_test.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 2ef822863..8328c37cb 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -299,7 +299,8 @@ class Security_test extends CI_TestCase {
 			'<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />',
 			'<img sqrc="/img/sunset.gif" height="100%" width="100%">',
 			'<img srqc="/img/sunset.gif" height="100%" width="100%">',
-			'<img srcq="/img/sunset.gif" height="100%" width="100%">'
+			'<img srcq="/img/sunset.gif" height="100%" width="100%">',
+			'<img src=non-quoted.attribute foo="bar">'
 		);
 
 		$urls = array(
@@ -310,7 +311,8 @@ class Security_test extends CI_TestCase {
 			'mdn-logo-sm.png',
 			'<img sqrc="/img/sunset.gif" height="100%" width="100%">',
 			'<img srqc="/img/sunset.gif" height="100%" width="100%">',
-			'<img srcq="/img/sunset.gif" height="100%" width="100%">'
+			'<img srcq="/img/sunset.gif" height="100%" width="100%">',
+			'non-quoted.attribute'
 		);
 
 		for ($i = 0; $i < count($imgtags); $i++)
-- 
cgit v1.2.3-24-g4f1b


From eea02de557834006c5d6a0bfccca7f39e75bf3a8 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Tue, 27 Sep 2016 14:59:37 +0300
Subject: Fix entity_decode() issue

---
 tests/codeigniter/core/Security_test.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 8328c37cb..cbf0285ec 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -270,6 +270,12 @@ class Security_test extends CI_TestCase {
 
 		$this->assertEquals('<div>Hello <b>Booya</b></div>', $decoded);
 
+		$this->assertEquals('colon:',    $this->security->entity_decode('colon&colon;'));
+		$this->assertEquals("NewLine\n", $this->security->entity_decode('NewLine&NewLine;'));
+		$this->assertEquals("Tab\t",     $this->security->entity_decode('Tab&Tab;'));
+		$this->assertEquals("lpar(",     $this->security->entity_decode('lpar&lpar;'));
+		$this->assertEquals("rpar)",     $this->security->entity_decode('rpar&rpar;'));
+
 		// Issue #3057 (https://github.com/bcit-ci/CodeIgniter/issues/3057)
 		$this->assertEquals(
 			'&foo should not include a semicolon',
-- 
cgit v1.2.3-24-g4f1b


From 9f20c8011a80d74edb740081cd96388bb6a967e6 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 14 Dec 2016 18:41:52 +0200
Subject: Move csrf_verify() call out of CI_Input

---
 tests/codeigniter/core/Security_test.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index cbf0285ec..2e1127f87 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -12,7 +12,8 @@ class Security_test extends CI_TestCase {
 		$this->ci_set_config('csrf_token_name', 'ci_csrf_token');
 		$this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie');
 
-		$this->security = new Mock_Core_Security();
+		$_SERVER['REQUEST_METHOD'] = 'GET';
+		$this->security = new Mock_Core_Security('UTF-8');
 	}
 
 	// --------------------------------------------------------------------
@@ -341,7 +342,7 @@ class Security_test extends CI_TestCase {
 		// leave csrf_cookie_name as blank to test _csrf_set_hash function
 		$this->ci_set_config('csrf_cookie_name', '');
 
-		$this->security = new Mock_Core_Security();
+		$this->security = new Mock_Core_Security('UTF-8');
 
 		$this->assertNotEmpty($this->security->get_csrf_hash());
 	}
-- 
cgit v1.2.3-24-g4f1b


From 2ab1c1902711c8b0caf5c3e8f2fa825d72f6755d Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Wed, 4 Jan 2017 15:26:35 +0200
Subject: Fix an XSS vulnerability

---
 tests/codeigniter/core/Security_test.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tests/codeigniter/core/Security_test.php')

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index cbf0285ec..4c54ec9fa 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -154,6 +154,11 @@ class Security_test extends CI_TestCase {
 			'<img src="b on=">on=">"x onerror="alert&#40;1&#41;">',
 			$this->security->xss_clean('<img src="b on="<x">on=">"x onerror="alert(1)">')
 		);
+
+		$this->assertEquals(
+			"\n>&lt;!-\n<b d=\"'e><iframe onload=alert&#40;1&#41; src=x>\n<a HREF=\">\n",
+			$this->security->xss_clean("\n><!-\n<b\n<c d=\"'e><iframe onload=alert(1) src=x>\n<a HREF=\"\">\n")
+		);
 	}
 
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b