Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / e475b1c9ed1b82b5f4a6a2c31267171f75a82406^! / .
commite475b1c9ed1b82b5f4a6a2c31267171f75a82406[log] [tgz]
authorAndrey Andreev <narf@devilix.net>Thu Mar 15 16:43:35 2018 +0200
committerAndrey Andreev <narf@devilix.net>Thu Mar 15 16:46:11 2018 +0200
tree1ffdc3362583818418e45968500c56c527ae3722
parent6efd42ebafceda967d1d8def06ee412d3c1f382b [diff]
Merge pull request #5431 from CyberSecutor/develop

Added parenthesis check around "document" elements and fixed non-existent document.window filter to window.document

diff --git a/system/core/Security.php b/system/core/Security.php
index 89a94c3..31926b4 100644
--- a/system/core/Security.php
+++ b/system/core/Security.php

@@ -134,7 +134,9 @@
 	 */
 	protected $_never_allowed_str =	array(
 		'document.cookie' => '[removed]',
+		'(document).cookie' => '[removed]',
 		'document.write'  => '[removed]',
+		'(document).write'  => '[removed]',
 		'.parentNode'     => '[removed]',
 		'.innerHTML'      => '[removed]',
 		'-moz-binding'    => '[removed]',
@@ -152,7 +154,7 @@
 	 */
 	protected $_never_allowed_regex = array(
 		'javascript\s*:',
-		'(document|(document\.)?window)\.(location|on\w*)',
+		'(\(?document\)?|\(?window\)?(\.document)?)\.(location|on\w*)',
 		'expression\s*(\(|&\#40;)', // CSS and IE
 		'vbscript\s*:', // IE, surprise!
 		'wscript\s*:', // IE
@@ -861,7 +863,7 @@
 		// For other tags, see if their attributes are "evil" and strip those
 		elseif (isset($matches['attributes']))
 		{
-			// We'll store the already fitlered attributes here
+			// We'll store the already filtered attributes here
 			$attributes = array();
 
 			// Attribute-catching pattern
@@ -935,7 +937,7 @@
 		return str_replace(
 			$match[1],
 			preg_replace(
-				'#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
+				'#href=.*?(?:(?:alert|prompt|confirm)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|d\s*a\s*t\s*a\s*:)#si',
 				'',
 				$this->_filter_attributes($match[1])
 			),
@@ -963,7 +965,7 @@
 		return str_replace(
 			$match[1],
 			preg_replace(
-				'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|document\.|\.cookie|<script|<xss|base64\s*,)#si',
+				'#src=.*?(?:(?:alert|prompt|confirm|eval)(?:\(|&\#40;|`|&\#96;)|javascript:|livescript:|mocha:|charset=|window\.|\(?document\)?\.|\.cookie|<script|<xss|base64\s*,)#si',
 				'',
 				$this->_filter_attributes($match[1])
 			),