Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 5335bc317f07f12c0f0bae5ac9189f75fcad0f1c^! / . / system / core / Security.php
commit5335bc317f07f12c0f0bae5ac9189f75fcad0f1c[log] [tgz]
authorWes Baker <wes@wesbaker.com>Tue Apr 24 15:17:14 2012 -0400
committerWes Baker <wes@wesbaker.com>Tue Apr 24 15:17:14 2012 -0400
tree6f798b2d9cc0fe97cc65f06b39153a2abab02d4d
parente7bbb1dc97c6f2027db5f24383f8d93c4ba41d82 [diff] [blame]
Updating XSS cleaning to better handle base64 encoded attributes.

diff --git a/system/core/Security.php b/system/core/Security.php
index ac39ce9..6574663 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php

@@ -99,7 +99,8 @@
 						'javascript\s*:',
 						'expression\s*(\(|&\#40;)', // CSS and IE
 						'vbscript\s*:', // IE, surprise!
-						'Redirect\s+302'
+						'Redirect\s+302',
+						"([\"'])?data\s*:[^\\1]*?base64[^\\1]*?,[^\\1]*?\\1?"
 					);
 
 	public function __construct()
@@ -362,7 +363,7 @@
 		 * These words are compacted back to their correct state.
 		 */
 		$words = array(
-				'javascript', 'expression', 'vbscript', 'script',
+				'javascript', 'expression', 'vbscript', 'script', 'base64',
 				'applet', 'alert', 'document', 'write', 'cookie', 'window'
 			);
 
@@ -602,10 +603,11 @@
 			$attribs = array();
 
 			// find occurrences of illegal attribute strings without quotes
-			preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s]*)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
+
 				$attribs[] = preg_quote($attr[0], '/');
 			}
 
@@ -620,7 +622,7 @@
 			// replace illegal attribute strings that are inside an html tag
 			if (count($attribs) > 0)
 			{
-				$str = preg_replace('/<(\/?[^><]+?)([^A-Za-z\-])('.implode('|', $attribs).')([\s><])([><]*)/i', '<$1$2$4$5', $str, -1, $count);
+				$str = preg_replace("/<(\/?[^><]+?)([^A-Za-z<>\-])(.*?)(".implode('|', $attribs).")(.*?)([\s><])([><]*)/i", '<$1 $3$5$6$7', $str, -1, $count);
 			}
 
 		} while ($count);
@@ -661,7 +663,7 @@
 	protected function _js_link_removal($match)
 	{
 		return str_replace($match[1],
-					preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
+					preg_replace('#href=.*?(alert\(|alert&\#40;|javascript\:|livescript\:|mocha\:|charset\=|window\.|document\.|\.cookie|<script|<xss|data\s*:)#si',
 							'',
 							$this->_filter_attributes(str_replace(array('<', '>'), '', $match[1]))
 					),
@@ -801,7 +803,7 @@
 
 		foreach ($this->_never_allowed_regex as $regex)
 		{
-			$str = preg_replace('#'.$regex.'#i', '[removed]', $str);
+			$str = preg_replace('#'.$regex.'#is', '[removed]', $str);
 		}
 
 		return $str;