Skip to content

Commit 249580e

Browse files
narfbgnarfbg
committed
More XSS stuff
1 parent f084acf commit 249580e

File tree

2 files changed

+7
-2
lines changed

2 files changed

+7
-2
lines changed

system/core/Security.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -808,7 +808,7 @@ protected function _sanitize_naughty_html($matches)
808808
.'([\s\042\047/=]*)' // non-attribute characters, excluding > (tag close) for obvious reasons
809809
.'(?<name>[^\s\042\047>/=]+)' // attribute characters
810810
// optional attribute-value
811-
.'(?:\s*=\s*\042[^\042]+\042|\s*=\s*\047[^\047]+\047|\s*=\s*[^\s\042\047=><`]*)?' // attribute-value separator
811+
.'(?:\s*=(?:[^\s\042\047=><`]+|\s*\042[^\042]+\042|\s*\047[^\047]+\047|\s*(?U:[^\s\042\047=><`]*)))' // attribute-value separator
812812
.'#i';
813813

814814
if ($count = preg_match_all($pattern, $matches['attributes'], $attributes, PREG_SET_ORDER | PREG_OFFSET_CAPTURE))

tests/codeigniter/core/Security_test.php

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ public function test_xss_clean_sanitize_naughty_html_attributes()
162162
{
163163
$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
164164
$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
165-
$this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
165+
$this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
166166
$this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
167167
$this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
168168
$this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
@@ -207,6 +207,11 @@ public function test_xss_clean_sanitize_naughty_html_attributes()
207207
'<image src="<>" [removed]>',
208208
$this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
209209
);
210+
211+
$this->assertEquals(
212+
'<b "=<= [removed]>',
213+
$this->security->xss_clean('<b "=<= onmouseover=alert(1)>')
214+
);
210215
}
211216

212217
// --------------------------------------------------------------------

0 commit comments

Comments
 (0)