Fix #2268 (manually implementing PR #2269)
diff --git a/system/core/Security.php b/system/core/Security.php
index 9423f82..0944fef 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -117,7 +117,6 @@
'document.write' => '[removed]',
'.parentNode' => '[removed]',
'.innerHTML' => '[removed]',
- 'window.location' => '[removed]',
'-moz-binding' => '[removed]',
'<!--' => '<!--',
'-->' => '-->',
@@ -132,6 +131,7 @@
*/
protected $_never_allowed_regex = array(
'javascript\s*:',
+ '(document|(document\.)?window)\.(location|on\w*)',
'expression\s*(\(|&\#40;)', // CSS and IE
'vbscript\s*:', // IE, surprise!
'Redirect\s+302',
@@ -648,8 +648,8 @@
*/
protected function _remove_evil_attributes($str, $is_image)
{
- // All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
- $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
+ // Formaction, style, and xmlns
+ $evil_attributes = array('style', 'xmlns', 'formaction');
if ($is_image === TRUE)
{
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 27031b9..892bbfb 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -636,6 +636,7 @@
- Fixed a bug (#2756) - :doc:`Database Class <database/index>` executed the MySQL-specific `SET SESSION sql_mode` query for all drivers when the 'stricton' option is set.
- Fixed a bug (#2579) - :doc:`Query Builder <database/query_builder>`s "no escape" functionality didn't work properly with query cache.
- Fixed a bug (#2237) - :doc:`Parser Library <libraries/parser>` failed if the same tag pair is used more than once within a template.
+- Fixed a bug (#2268) - :doc:`Security Library <libraries/security>` didn't properly match JavaScript events.
Version 2.1.4
=============