commit 4562f2cbb3e5346c6e341516a31ca87dfa47bafd
author Andrey Andreev <narf@bofh.bg> Mon Jan 09 23:39:50 2012 +0200
committer Andrey Andreev <narf@bofh.bg> Mon Jan 09 23:39:50 2012 +0200
tree 67ad28a22dea814e7b0957270a5fed163ae33af4
parent 8a7d078233bfb80fa01ee090e14ce0664f23b96b

Some more stuff ...

system/core/Security.php

diff --git a/system/core/Security.php b/system/core/Security.php
index d7881d8..1007f61 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -153,20 +153,13 @@
 		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
-		if ( ! isset($_POST[$this->_csrf_token_name]) OR
-			 ! isset($_COOKIE[$this->_csrf_cookie_name]))
+		if ( ! isset($_POST[$this->_csrf_token_name]) OR ! isset($_COOKIE[$this->_csrf_cookie_name])
+			OR $_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name]) // Do the tokens match?
 		{
 			$this->csrf_show_error();
 		}
 
-		// Do the tokens match?
-		if ($_POST[$this->_csrf_token_name] != $_COOKIE[$this->_csrf_cookie_name])
-		{
-			$this->csrf_show_error();
-		}
-
-		// We kill this since we're done and we don't want to
-		// polute the _POST array
+		// We kill this since we're done and we don't want to polute the _POST array
 		unset($_POST[$this->_csrf_token_name]);
 
 		// Regenerate on every submission?
@@ -308,10 +301,9 @@
 		 * This permits our tests below to work reliably.
 		 * We only convert entities that are within tags since
 		 * these are the ones that will pose security problems.
-		 *
 		 */
 		$str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str);
-		$str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_decode_entity'), $str);
+		$str = preg_replace_callback('/<\w+.*?(?=>|<|$)/si', array($this, '_decode_entity'), $str);
 
 		// Remove Invisible Characters Again!
 		$str = remove_invisible_characters($str);
@@ -326,9 +318,7 @@
 		 */
 		$str = str_replace("\t", ' ', $str);
 
-		/*
-		 * Capture converted string for later comparison
-		 */
+		// Capture converted string for later comparison
 		$converted_string = $str;
 
 		// Remove Strings that are never allowed
@@ -720,12 +710,11 @@
 	protected function _filter_attributes($str)
 	{
 		$out = '';
-
 		if (preg_match_all('#\s*[a-z\-]+\s*=\s*(\042|\047)([^\\1]*?)\\1#is', $str, $matches))
 		{
 			foreach ($matches[0] as $match)
 			{
-				$out .= preg_replace("#/\*.*?\*/#s", '', $match);
+				$out .= preg_replace('#/\*.*?\*/#s', '', $match);
 			}
 		}