changed entity standardization to require at least two characters after an ampersand before forcing a semi-colon

commit: cbde3f032de0f02fb28a5502a32c30626119716e [log] [tgz]
author: Derek Jones <derek.jones@ellislab.com> Thu Aug 14 22:13:05 2008 +0000
committer: Derek Jones <derek.jones@ellislab.com> Thu Aug 14 22:13:05 2008 +0000
tree: 5cf606e4f488fefef7c6f668ab9915144fc3e6e6
parent: 5f725870198dfa765ff455f212be97684a8f8cfb [diff]
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 24c6c19..ff1dd9b 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php

@@ -547,7 +547,7 @@
 		 * the conversion of entities to ASCII later.

 		 *

 		 */

-		$str = preg_replace('#(&\#?[0-9a-z]+)[\x00-\x20]*;?#i', "\\1;", $str);

+		$str = preg_replace('#(&\#?[0-9a-z]{2,})[\x00-\x20]*;?#i', "\\1;", $str);

 

 		/*

 		 * Validate UTF16 two byte encoding (x00) 


diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index d317bbf..b729c6a 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html

@@ -86,6 +86,7 @@
 	<li>Fixed assorted user guide typos or examples (#4840, #4862, #4864, #4899, #4930, #5006).</li>

 	<li>Fixed an edit from 1.6.3 that made the $robots array in user_agents.php go poof.</li>

 	<li>Fixed a bug in the Email library with quoted-printable encoding improperly encoding space and tab characters.</li>

+	<li>Modified XSS sanitization to no longer add semicolons after &amp;[single letter], such as in M&amp;M's, B&amp;B, etc.</li>

 </ul>

 

 <h2>Version 1.6.3</h2>
commit	cbde3f032de0f02fb28a5502a32c30626119716e	[log] [tgz]
author	Derek Jones <derek.jones@ellislab.com>	Thu Aug 14 22:13:05 2008 +0000
committer	Derek Jones <derek.jones@ellislab.com>	Thu Aug 14 22:13:05 2008 +0000
tree	5cf606e4f488fefef7c6f668ab9915144fc3e6e6
parent	5f725870198dfa765ff455f212be97684a8f8cfb [diff]