Fix bcit-ci#3309

narfbg · narfbg · commit 508677ca0e7f · 2014-11-21T13:31:47.000+02:00
diff --git a/system/core/Security.php b/system/core/Security.php
@@ -604,12 +604,12 @@ protected function _compact_exploded_words($matches)
 	protected function _remove_evil_attributes($str, $is_image)
 	{
 		// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns
-		$evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');
+		$evil_attributes = array('(?<!\w)on\w*', 'style', 'xmlns', 'formaction');
 
 		if ($is_image === TRUE)
 		{
 			/*
-			 * Adobe Photoshop puts XML metadata into JFIF images, 
+			 * Adobe Photoshop puts XML metadata into JFIF images,
 			 * including namespacing, so we have to allow this for images.
 			 */
 			unset($evil_attributes[array_search('xmlns', $evil_attributes)]);
@@ -872,4 +872,4 @@ protected function _csrf_set_hash()
 }
 
 /* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/libraries/Security.php */
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
@@ -65,6 +65,7 @@ <h3>Bug fixes:</h3>
 	<li>Fixed a bug (#3094) - <samp>CI_Input::_clean_input_data()</samp> breaks encrypted session cookies.</li>
 	<li>Fixed a bug (#2508) - <a href="libraries/config.html">Config Library</a> didn't properly detect if the current request is via HTTPS.</li>
 	<li>Fixed a bug (#3314) - SQLSRV <a href="database/index.html">Database driver</a>'s method <samp>count_all()</samp> didn't escape the supplied table name.</li>
+	<li>Fixed a bug (#3309) - <samp>CI_Security::xss_clean()</samp> used an overly-invasive pattern to strip JS event handlers.</li>
 </ul>
 
 <h2>Version 2.2.0</h2>

Original file line number	Diff line number	Diff line change
`@@ -604,12 +604,12 @@ protected function _compact_exploded_words($matches)`
`604`	`604`	`protected function _remove_evil_attributes($str, $is_image)`
`605`	`605`	`{`
`606`	`606`	`// All javascript event handlers (e.g. onload, onclick, onmouseover), style, and xmlns`
`607`		`- $evil_attributes = array('on\w*', 'style', 'xmlns', 'formaction');`
	`607`	`+ $evil_attributes = array('(?<!\w)on\w*', 'style', 'xmlns', 'formaction');`
`608`	`608`
`609`	`609`	`if ($is_image === TRUE)`
`610`	`610`	`{`
`611`	`611`	`/*`
`612`		`- * Adobe Photoshop puts XML metadata into JFIF images,`
	`612`	`+ * Adobe Photoshop puts XML metadata into JFIF images,`
`613`	`613`	`* including namespacing, so we have to allow this for images.`
`614`	`614`	`*/`
`615`	`615`	`unset($evil_attributes[array_search('xmlns', $evil_attributes)]);`
`@@ -872,4 +872,4 @@ protected function _csrf_set_hash()`
`872`	`872`	`}`
`873`	`873`
`874`	`874`	`/* End of file Security.php */`
`875`		`-/* Location: ./system/libraries/Security.php */`
	`875`	`+/* Location: ./system/libraries/Security.php */`