Fix CI_Security::_remove_evil_attributes() being way too aggressive

commit: b69103e8ab0c646d01f5e97ef6a255293de1e60e [log] [tgz]
author: Andrey Andreev <narf@devilix.net> Sat Jan 25 19:23:47 2014 +0200
committer: Andrey Andreev <narf@devilix.net> Sat Jan 25 19:23:47 2014 +0200
tree: 0fb3bc4b7ff70a1071bee0797c6d8a57c0a9f62d
parent: adf3bde5f8a196013acc615e5bfeedd0ef6417b8 [diff]
diff --git a/system/core/Security.php b/system/core/Security.php
index 93613cc..15cb376 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php

@@ -683,7 +683,7 @@
 			$attribs = array();
 
 			// find occurrences of illegal attribute strings with quotes (042 and 047 are octal quotes)
-			preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*(\042|\047)([^\\2]*?)(\\2)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
@@ -691,7 +691,7 @@
 			}
 
 			// find occurrences of illegal attribute strings without quotes
-			preg_match_all('/('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
+			preg_match_all('/\W('.implode('|', $evil_attributes).')\s*=\s*([^\s>]*)/is', $str, $matches, PREG_SET_ORDER);
 
 			foreach ($matches as $attr)
 			{
commit	b69103e8ab0c646d01f5e97ef6a255293de1e60e	[log] [tgz]
author	Andrey Andreev <narf@devilix.net>	Sat Jan 25 19:23:47 2014 +0200
committer	Andrey Andreev <narf@devilix.net>	Sat Jan 25 19:23:47 2014 +0200
tree	0fb3bc4b7ff70a1071bee0797c6d8a57c0a9f62d
parent	adf3bde5f8a196013acc615e5bfeedd0ef6417b8 [diff]