Improved XSS clean to not allowing this:
xss_clean("<x<xss>ss <scr<xss>ipt a='>'>alert/**/('!');//*/</script</script >>");
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 51d4ed2..f9d23ae 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -588,10 +588,18 @@
/*
* Remove disallowed Javascript in links or img tags
- */
- $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
- $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
- $str = preg_replace("#<(script|xss).*?\>#si", "", $str);
+ */
+ do
+ {
+ $original = $str;
+
+ $str = preg_replace_callback("#<a.*?</a>#si", array($this, '_js_link_removal'), $str);
+ $str = preg_replace_callback("#<img.*?>#si", array($this, '_js_img_removal'), $str);
+ $str = preg_replace("#</*(script|xss).*?\>#si", "", $str);
+ }
+ while($original != $str);
+
+ unset($original);
/*
* Remove JavaScript Event Handlers