Another addition to tag detection patterns in xss_clean()
diff --git a/system/core/Security.php b/system/core/Security.php
index 3142f7d..9e5e725 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -493,6 +493,7 @@
*/
$pattern = '#'
.'<((/*\s*)([a-z0-9]+)(?=[^a-z0-9])' // tag start and name, followed by a non-tag character
+ .'[^>a-z0-9]*' // a valid attribute character immediately after the tag would count as a separator
// optional attributes
.'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons
.'[^\s\042\047>/=]+' // attribute characters
@@ -804,6 +805,7 @@
$pattern = '#(' // catch everything in the tag preceeding the evil attribute
.'<[a-z0-9]+(?=[^>a-z0-9])' // tag start and name, followed by a non-tag character
+ .'[^>a-z0-9]*' // a valid attribute character immediately after the tag would count as a separator
// optional attributes
.'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons
.'[^\s\042\047>/=]+' // attribute characters
@@ -821,7 +823,8 @@
.')' // end evil attribute
.'#isS';
- do {
+ do
+ {
$count = 0;
$str = preg_replace($pattern, '$1 [removed]', $str, -1, $count);
}
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index 2e9cd01..ee5b82c 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -174,6 +174,11 @@
'<img src="x"> on=\'x\' onerror=``,alert(1)>',
$this->security->remove_evil_attributes('<img src="x"> on=\'x\' onerror=``,alert(1)>', FALSE)
);
+
+ $this->assertEquals(
+ '<a< [removed]>',
+ $this->security->remove_evil_attributes('<a< onmouseover="alert(1)">', FALSE)
+ );
}
// --------------------------------------------------------------------