Hey you! Yeah, you, that other set of hardcoded arrays in xss_clean(). You're coming with me, pal!
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index c86a3ce..ec06101 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -801,30 +801,12 @@
* something got through the above filters
*
*/
- $bad = array(
- 'document.cookie' => '[removed]',
- 'document.write' => '[removed]',
- '.parentNode' => '[removed]',
- '.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
- '-moz-binding' => '[removed]',
- '<!--' => '<!--',
- '-->' => '-->',
- '<![CDATA[' => '<![CDATA['
- );
-
- foreach ($bad as $key => $val)
+ foreach ($this->never_allowed_str as $key => $val)
{
$str = str_replace($key, $val, $str);
}
-
- $bad = array(
- "javascript\s*:" => '[removed]',
- "expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]'
- );
-
- foreach ($bad as $key => $val)
+
+ foreach ($this->never_allowed_regex as $key => $val)
{
$str = preg_replace("#".$key."#i", $val, $str);
}