Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 4fbf2d1a8e2b6d33e92f3f353b05388fd3229bd7^! / .
commit4fbf2d1a8e2b6d33e92f3f353b05388fd3229bd7[log] [tgz]
authorAndrey Andreev <narf@devilix.net>Mon Sep 21 16:17:48 2015 +0300
committerAndrey Andreev <narf@devilix.net>Mon Sep 21 16:17:48 2015 +0300
tree591cf443d0a498dd75f83f30595d13f53752c053
parent088e57db3808f78ee89def94c6ce95b571a88427 [diff]
More XSS stuff

diff --git a/system/core/Security.php b/system/core/Security.php
index a306133..0cae23a 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php

@@ -808,7 +808,7 @@
 				.'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons
 				.'(?<name>[^\s\042\047>/=]+)' // attribute characters
 				// optional attribute-value
-				.'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]+)?' // attribute-value separator
+				.'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator
 				.'#i';
 
 			if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))
@@ -861,7 +861,7 @@
 			preg_replace(
 				'#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
 				'',
-				$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
+				$this->_filter_attributes($match[1])
 			),
 			$match[0]
 		);
@@ -889,7 +889,7 @@
 			preg_replace(
 				'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
 				'',
-				$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
+				$this->_filter_attributes($match[1])
 			),
 			$match[0]
 		);

diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index b04d258..ca111c3 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php

@@ -120,6 +120,17 @@
 
 	// --------------------------------------------------------------------
 
+	public function text_xss_clean_js_link_removal()
+	{
+		// This one is to prevent a false positive
+		$this->assertEquals(
+			"<a href=\"javascrip\n<t\n:alert\n&#40;1&#41;\"\n>",
+			$this->security->xss_clean("<a href=\"javascrip\n<t\n:alert\n(1)\"\n>")
+		);
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_xss_clean_js_img_removal()
 	{
 		$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
@@ -191,6 +202,11 @@
 			'<img src="x"> on=\'x\' onerror=,xssm()>',
 			$this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>')
 		);
+
+		$this->assertEquals(
+			'<image src="<>" [removed]>',
+			$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
+		);
 	}
 
 	// --------------------------------------------------------------------