commit 2a2578b396401ac81017b9cd52189f1fcb497b1e
author Andrey Andreev <narf@devilix.net> Mon Sep 14 11:16:33 2015 +0300
committer Andrey Andreev <narf@devilix.net> Mon Sep 14 11:16:33 2015 +0300
tree 7f4cc4dcae7e1fb2d50df42a4a10ec296698e048
parent 70f60d07253d301ec62789f78587db0dac826a27

Add 'eval' to a JS blacklist in xss_clean()

system/core/Security.php

diff --git a/system/core/Security.php b/system/core/Security.php
index dd3b2c8..3142f7d 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -436,7 +436,7 @@
 		$words = array(
 			'javascript', 'expression', 'vbscript', 'jscript', 'wscript',
 			'vbs', 'script', 'base64', 'applet', 'alert', 'document',
-			'write', 'cookie', 'window', 'confirm', 'prompt'
+			'write', 'cookie', 'window', 'confirm', 'prompt', 'eval'
 		);
 
 		foreach ($words as $word)
@@ -902,12 +902,15 @@
 	 */
 	protected function _js_img_removal($match)
 	{
-		return str_replace($match[1],
-					preg_replace('#src=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
-							'',
-							$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
-					),
-					$match[0]);
+		return str_replace(
+			$match[1],
+			preg_replace(
+				'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
+				'',
+				$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
+			),
+			$match[0]
+		);
 	}
 
 	// --------------------------------------------------------------------