commit 58c7bcb85c1a354e1eaebae8ef658516f427378d
author Andrey Andreev <narf@devilix.net> Fri Sep 11 13:59:40 2015 +0300
committer Andrey Andreev <narf@devilix.net> Fri Sep 11 13:59:40 2015 +0300
tree 53ea253fc5979009e80c0bbecf9749cc05e4884c
parent 12023a79b0c3b45f68cce0357e3009c5884da663

Replace the latest XSS patches

This one fixes yet another issue, is cleaner and faster.

system/core/Security.php

diff --git a/system/core/Security.php b/system/core/Security.php
index 1bc228a..829aac7 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -783,16 +783,28 @@
 			unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
 		}
 
+		$pattern = '#(' // catch everything in the tag preceeding the evil attribute
+			.'<[a-z0-9]+(?=[^>a-z0-9])' // tag start and name, followed by a non-tag character
+			// optional attributes
+			.'([\s\042\047/=]+' // non-attribute characters, excluding > (tag close) for obvious reasons
+			.'[^\s\042\047>/=]+' // attribute characters
+			// optional attribue-value
+			.'(\s*=\s*' // attribute-value separator
+			.'(\042[^\042]*\042|\047[^\047]*\047|[^\s\042\047=><`]*)' // single, double or non-quoted value
+			.')?' // end optional attribute-value group
+			.')*' // end optional attributes group
+			.')' // end catching evil attribute prefix
+			// evil attribute starts here
+			.'([\s\042\047>/=]+' // non-attribute characters (we'll replace that with a single space)
+			.'('.implode('|', $evil_attributes).')'
+			.'\s*=\s*' // attribute-value separator
+			.'(\042[^042]+\042|\047[^047]+\047|[^\s\042\047=><`]+)' // attribute value; single, double or non-quotes
+			.')' // end evil attribute
+			.'#isS';
+
 		do {
-			$count = $temp_count = 0;
-
-			// replace occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
-			$str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\5]*?)(\\5)/is', '<$1[removed]', $str, -1, $temp_count);
-			$count += $temp_count;
-
-			// find occurrences of illegal attribute strings without quotes
-			$str = preg_replace('/<([^>]+(((?<=\042)[^\042]*(?=\042)|(?<=\047)[^\047]*(?=\047))[^>]*)*)(?<!\w)('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', '<$1[removed]', $str, -1, $temp_count);
-			$count += $temp_count;
+			$count = 0;
+			$str = preg_replace($pattern, '$1 [removed]', $str, -1, $count);
 		}
 		while ($count);