improvements to xss_clean()
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 347aac3..e879e2d 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -47,9 +47,10 @@
);
/* never allowed, regex replacement */
var $never_allowed_regex = array(
- "javascript\s*:" => '[removed]',
- "expression\s*\(" => '[removed]', // CSS and IE
- "Redirect\s+302" => '[removed]'
+ "javascript\s*:" => '[removed]',
+ "expression\s*(\(|&\#40;)" => '[removed]', // CSS and IE
+ "vbscript\s*:" => '[removed]', // IE, surprise!
+ "Redirect\s+302" => '[removed]'
);
/**
@@ -946,7 +947,7 @@
*/
function _convert_attribute($match)
{
- return str_replace(array('>', '<'), array('>', '<'), $match[0]);
+ return str_replace(array('>', '<', '\\'), array('>', '<', '\\\\'), $match[0]);
}
// --------------------------------------------------------------------
@@ -1043,7 +1044,7 @@
{
foreach ($matches[0] as $match)
{
- $out .= "{$match}";
+ $out .= preg_replace("#/\*.*?\*/#s", '', $match);
}
}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 6c32f50..4305939 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -88,6 +88,7 @@
</li>
<li>Other Changes
<ul>
+ <li>Improved security in <kbd>xss_clean()</kbd>.</li>
<li>Added 'application/msexcel' to config/mimes.php for .xls files.</li>
</ul>
</li>