X-Git-Url: http://git.onelab.eu/?p=www-register-wizard.git;a=blobdiff_plain;f=libraries%2FInput.php;h=e7bf7277953642e020a999672291ce02293709a1;hp=ee4bb1cd0722e1c056075527847fcd1c2a7e6a02;hb=47598daa8c32dbbd72db83dc33f2ce91b3f6f7b0;hpb=4afb2fe256f094a1caf6bff14f51c6a88938cc9f diff --git a/libraries/Input.php b/libraries/Input.php index ee4bb1c..e7bf727 100644 --- a/libraries/Input.php +++ b/libraries/Input.php @@ -6,7 +6,7 @@ * * @package CodeIgniter * @author ExpressionEngine Dev Team - * @copyright Copyright (c) 2008, EllisLab, Inc. + * @copyright Copyright (c) 2008 - 2009, EllisLab, Inc. * @license http://codeigniter.com/user_guide/license.html * @link http://codeigniter.com * @since Version 1.0 @@ -32,7 +32,7 @@ class CI_Input { var $ip_address = FALSE; var $user_agent = FALSE; var $allow_get_array = FALSE; - + /* never allowed, string replacement */ var $never_allowed_str = array( 'document.cookie' => '[removed]', @@ -47,19 +47,20 @@ class CI_Input { ); /* never allowed, regex replacement */ var $never_allowed_regex = array( - "javascript\s*:" => '[removed]', - "expression\s*\(" => '[removed]', // CSS and IE - "Redirect\s+302" => '[removed]' + "javascript\s*:" => '[removed]', + "expression\s*(\(|&\#40;)" => '[removed]', // CSS and IE + "vbscript\s*:" => '[removed]', // IE, surprise! + "Redirect\s+302" => '[removed]' ); - + /** - * Constructor - * - * Sets whether to globally enable the XSS processing - * and whether to allow the $_GET array - * - * @access public - */ + * Constructor + * + * Sets whether to globally enable the XSS processing + * and whether to allow the $_GET array + * + * @access public + */ function CI_Input() { log_message('debug', "Input Class Initialized"); @@ -73,19 +74,19 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Sanitize Globals - * - * This function does the following: - * - * Unsets $_GET data (if query strings are not enabled) - * - * Unsets all globals if register_globals is enabled - * - * Standardizes newline characters to \n - * - * @access private - * @return void - */ + * Sanitize Globals + * + * This function does the following: + * + * Unsets $_GET data (if query strings are not enabled) + * + * Unsets all globals if register_globals is enabled + * + * Standardizes newline characters to \n + * + * @access private + * @return void + */ function _sanitize_globals() { // Would kind of be "wrong" to unset any of these GLOBALS @@ -111,7 +112,7 @@ class CI_Input { { unset($GLOBALS[$key]); } - + if (is_array($val)) { foreach($val as $k => $v) @@ -138,7 +139,7 @@ class CI_Input { // Clean $_POST Data $_POST = $this->_clean_input_data($_POST); - + // Clean $_COOKIE Data // Also get rid of specially treated cookies that might be set by a server // or silly application, that are of no use to a CI application anyway @@ -156,15 +157,15 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Clean Input Data - * - * This is a helper function. It escapes data and - * standardizes newline characters to \n - * - * @access private - * @param string - * @return string - */ + * Clean Input Data + * + * This is a helper function. It escapes data and + * standardizes newline characters to \n + * + * @access private + * @param string + * @return string + */ function _clean_input_data($str) { if (is_array($str)) @@ -194,46 +195,46 @@ class CI_Input { { $str = str_replace(array("\r\n", "\r"), "\n", $str); } - + return $str; } // -------------------------------------------------------------------- /** - * Clean Keys - * - * This is a helper function. To prevent malicious users - * from trying to exploit keys we make sure that keys are - * only named with alpha-numeric text and a few other items. - * - * @access private - * @param string - * @return string - */ + * Clean Keys + * + * This is a helper function. To prevent malicious users + * from trying to exploit keys we make sure that keys are + * only named with alpha-numeric text and a few other items. + * + * @access private + * @param string + * @return string + */ function _clean_input_keys($str) { - if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) - { + if ( ! preg_match("/^[a-z0-9:_\/-]+$/i", $str)) + { exit('Disallowed Key Characters.'); - } + } return $str; } // -------------------------------------------------------------------- - + /** - * Fetch from array - * - * This is a helper function to retrieve values from global arrays - * - * @access private - * @param array - * @param string - * @param bool - * @return string - */ + * Fetch from array + * + * This is a helper function to retrieve values from global arrays + * + * @access private + * @param array + * @param string + * @param bool + * @return string + */ function _fetch_from_array(&$array, $index = '', $xss_clean = FALSE) { if ( ! isset($array[$index])) @@ -250,15 +251,15 @@ class CI_Input { } // -------------------------------------------------------------------- - + /** - * Fetch an item from the GET array - * - * @access public - * @param string - * @param bool - * @return string - */ + * Fetch an item from the GET array + * + * @access public + * @param string + * @param bool + * @return string + */ function get($index = '', $xss_clean = FALSE) { return $this->_fetch_from_array($_GET, $index, $xss_clean); @@ -267,13 +268,13 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Fetch an item from the POST array - * - * @access public - * @param string - * @param bool - * @return string - */ + * Fetch an item from the POST array + * + * @access public + * @param string + * @param bool + * @return string + */ function post($index = '', $xss_clean = FALSE) { return $this->_fetch_from_array($_POST, $index, $xss_clean); @@ -282,15 +283,15 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Fetch an item from either the GET array or the POST - * - * @access public - * @param string The index key - * @param bool XSS cleaning - * @return string - */ + * Fetch an item from either the GET array or the POST + * + * @access public + * @param string The index key + * @param bool XSS cleaning + * @return string + */ function get_post($index = '', $xss_clean = FALSE) - { + { if ( ! isset($_POST[$index]) ) { return $this->get($index, $xss_clean); @@ -298,19 +299,19 @@ class CI_Input { else { return $this->post($index, $xss_clean); - } + } } // -------------------------------------------------------------------- /** - * Fetch an item from the COOKIE array - * - * @access public - * @param string - * @param bool - * @return string - */ + * Fetch an item from the COOKIE array + * + * @access public + * @param string + * @param bool + * @return string + */ function cookie($index = '', $xss_clean = FALSE) { return $this->_fetch_from_array($_COOKIE, $index, $xss_clean); @@ -319,13 +320,13 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Fetch an item from the SERVER array - * - * @access public - * @param string - * @param bool - * @return string - */ + * Fetch an item from the SERVER array + * + * @access public + * @param string + * @param bool + * @return string + */ function server($index = '', $xss_clean = FALSE) { return $this->_fetch_from_array($_SERVER, $index, $xss_clean); @@ -334,33 +335,40 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Fetch the IP Address - * - * @access public - * @return string - */ + * Fetch the IP Address + * + * @access public + * @return string + */ function ip_address() { if ($this->ip_address !== FALSE) { return $this->ip_address; } + + if (config_item('proxy_ips') != '' && $this->server('HTTP_X_FORWARDED_FOR') && $this->server('REMOTE_ADDR')) + { + $proxies = preg_split('/[\s,]/', config_item('proxy_ips'), -1, PREG_SPLIT_NO_EMPTY); + $proxies = is_array($proxies) ? $proxies : array($proxies); - if ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) + $this->ip_address = in_array($_SERVER['REMOTE_ADDR'], $proxies) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; + } + elseif ($this->server('REMOTE_ADDR') AND $this->server('HTTP_CLIENT_IP')) { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; + $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; } elseif ($this->server('REMOTE_ADDR')) { - $this->ip_address = $_SERVER['REMOTE_ADDR']; + $this->ip_address = $_SERVER['REMOTE_ADDR']; } elseif ($this->server('HTTP_CLIENT_IP')) { - $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; + $this->ip_address = $_SERVER['HTTP_CLIENT_IP']; } elseif ($this->server('HTTP_X_FORWARDED_FOR')) { - $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; + $this->ip_address = $_SERVER['HTTP_X_FORWARDED_FOR']; } if ($this->ip_address === FALSE) @@ -372,28 +380,28 @@ class CI_Input { if (strstr($this->ip_address, ',')) { $x = explode(',', $this->ip_address); - $this->ip_address = end($x); + $this->ip_address = trim(end($x)); } if ( ! $this->valid_ip($this->ip_address)) { $this->ip_address = '0.0.0.0'; } - + return $this->ip_address; } // -------------------------------------------------------------------- /** - * Validate IP Address - * - * Updated version suggested by Geert De Deckere - * - * @access public - * @param string - * @return string - */ + * Validate IP Address + * + * Updated version suggested by Geert De Deckere + * + * @access public + * @param string + * @return string + */ function valid_ip($ip) { $ip_segments = explode('.', $ip); @@ -425,11 +433,11 @@ class CI_Input { // -------------------------------------------------------------------- /** - * User Agent - * - * @access public - * @return string - */ + * User Agent + * + * @access public + * @return string + */ function user_agent() { if ($this->user_agent !== FALSE) @@ -445,12 +453,12 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Filename Security - * - * @access public - * @param string - * @return string - */ + * Filename Security + * + * @access public + * @param string + * @return string + */ function filename_security($str) { $bad = array( @@ -494,179 +502,179 @@ class CI_Input { // -------------------------------------------------------------------- /** - * XSS Clean - * - * Sanitizes data so that Cross Site Scripting Hacks can be - * prevented. This function does a fair amount of work but - * it is extremely thorough, designed to prevent even the - * most obscure XSS attempts. Nothing is ever 100% foolproof, - * of course, but I haven't been able to get anything passed - * the filter. - * - * Note: This function should only be used to deal with data - * upon submission. It's not something that should - * be used for general runtime processing. - * - * This function was based in part on some code and ideas I - * got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention - * - * To help develop this script I used this great list of - * vulnerabilities along with a few other hacks I've - * harvested from examining vulnerabilities in other programs: - * http://ha.ckers.org/xss.html - * - * @access public - * @param string - * @return string - */ + * XSS Clean + * + * Sanitizes data so that Cross Site Scripting Hacks can be + * prevented. This function does a fair amount of work but + * it is extremely thorough, designed to prevent even the + * most obscure XSS attempts. Nothing is ever 100% foolproof, + * of course, but I haven't been able to get anything passed + * the filter. + * + * Note: This function should only be used to deal with data + * upon submission. It's not something that should + * be used for general runtime processing. + * + * This function was based in part on some code and ideas I + * got from Bitflux: http://blog.bitflux.ch/wiki/XSS_Prevention + * + * To help develop this script I used this great list of + * vulnerabilities along with a few other hacks I've + * harvested from examining vulnerabilities in other programs: + * http://ha.ckers.org/xss.html + * + * @access public + * @param string + * @return string + */ function xss_clean($str, $is_image = FALSE) { /* - * Is the string an array? - * - */ + * Is the string an array? + * + */ if (is_array($str)) { while (list($key) = each($str)) { $str[$key] = $this->xss_clean($str[$key]); } - + return $str; } /* - * Remove Invisible Characters - */ + * Remove Invisible Characters + */ $str = $this->_remove_invisible_characters($str); /* - * Protect GET variables in URLs - */ - - // 901119URL5918AMP18930PROTECT8198 - + * Protect GET variables in URLs + */ + + // 901119URL5918AMP18930PROTECT8198 + $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str); /* - * Validate standard character entities - * - * Add a semicolon if missing. We do this to enable - * the conversion of entities to ASCII later. - * - */ - $str = preg_replace('#(&\#?[0-9a-z]{2,})[\x00-\x20]*;?#i', "\\1;", $str); + * Validate standard character entities + * + * Add a semicolon if missing. We do this to enable + * the conversion of entities to ASCII later. + * + */ + $str = preg_replace('#(&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str); /* - * Validate UTF16 two byte encoding (x00) - * - * Just as above, adds a semicolon if missing. - * - */ + * Validate UTF16 two byte encoding (x00) + * + * Just as above, adds a semicolon if missing. + * + */ $str = preg_replace('#(&\#x?)([0-9A-F]+);?#i',"\\1\\2;",$str); /* - * Un-Protect GET variables in URLs - */ + * Un-Protect GET variables in URLs + */ $str = str_replace($this->xss_hash(), '&', $str); /* - * URL Decode - * - * Just in case stuff like this is submitted: - * - * Google - * - * Note: Use rawurldecode() so it does not remove plus signs - * - */ + * URL Decode + * + * Just in case stuff like this is submitted: + * + * Google + * + * Note: Use rawurldecode() so it does not remove plus signs + * + */ $str = rawurldecode($str); - + /* - * Convert character entities to ASCII - * - * This permits our tests below to work reliably. - * We only convert entities that are within tags since - * these are the ones that will pose security problems. - * - */ + * Convert character entities to ASCII + * + * This permits our tests below to work reliably. + * We only convert entities that are within tags since + * these are the ones that will pose security problems. + * + */ $str = preg_replace_callback("/[a-z]+=([\'\"]).*?\\1/si", array($this, '_convert_attribute'), $str); - + $str = preg_replace_callback("/<\w+.*?(?=>|<|$)/si", array($this, '_html_entity_decode_callback'), $str); /* - * Remove Invisible Characters Again! - */ + * Remove Invisible Characters Again! + */ $str = $this->_remove_invisible_characters($str); - + /* - * Convert all tabs to spaces - * - * This prevents strings like this: ja vascript - * NOTE: we deal with spaces between characters later. - * NOTE: preg_replace was found to be amazingly slow here on large blocks of data, - * so we use str_replace. - * - */ - + * Convert all tabs to spaces + * + * This prevents strings like this: ja vascript + * NOTE: we deal with spaces between characters later. + * NOTE: preg_replace was found to be amazingly slow here on large blocks of data, + * so we use str_replace. + * + */ + if (strpos($str, "\t") !== FALSE) { $str = str_replace("\t", ' ', $str); } - + /* - * Capture converted string for later comparison - */ + * Capture converted string for later comparison + */ $converted_string = $str; - + /* - * Not Allowed Under Any Conditions - */ - + * Not Allowed Under Any Conditions + */ + foreach ($this->never_allowed_str as $key => $val) { $str = str_replace($key, $val, $str); } - + foreach ($this->never_allowed_regex as $key => $val) { $str = preg_replace("#".$key."#i", $val, $str); } /* - * Makes PHP tags safe - * - * Note: XML tags are inadvertently replaced too: - * - * '), array('<?php', '<?PHP', '<?', '?>'), $str); + $str = str_replace(array(''), array('<?', '?>'), $str); } - + /* - * Compact any exploded words - * - * This corrects words like: j a v a s c r i p t - * These words are compacted back to their correct state. - * - */ + * Compact any exploded words + * + * This corrects words like: j a v a s c r i p t + * These words are compacted back to their correct state. + * + */ $words = array('javascript', 'expression', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window'); foreach ($words as $word) { $temp = ''; - + for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) { $temp .= substr($word, $i, 1)."\s*"; @@ -676,26 +684,26 @@ class CI_Input { // That way valid stuff like "dealer to" does not become "dealerto" $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str); } - + /* - * Remove disallowed Javascript in links or img tags - * We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared - * to these simplified non-capturing preg_match(), especially if the pattern exists in the string - */ + * Remove disallowed Javascript in links or img tags + * We used to do some version comparisons and use of stripos for PHP5, but it is dog slow compared + * to these simplified non-capturing preg_match(), especially if the pattern exists in the string + */ do { $original = $str; - + if (preg_match("/]*?)(>|$)#si", array($this, '_js_link_removal'), $str); } - + if (preg_match("/]*?)(\s?/?>|$)#si", array($this, '_js_img_removal'), $str); } - + if (preg_match("/script/i", $str) OR preg_match("/xss/i", $str)) { $str = preg_replace("#<(/*)(script|xss)(.*?)\>#si", '[removed]', $str); @@ -706,78 +714,78 @@ class CI_Input { unset($original); /* - * Remove JavaScript Event Handlers - * - * Note: This code is a little blunt. It removes - * the event handler and anything up to the closing >, - * but it's unlikely to be a problem. - * - */ + * Remove JavaScript Event Handlers + * + * Note: This code is a little blunt. It removes + * the event handler and anything up to the closing >, + * but it's unlikely to be a problem. + * + */ $event_handlers = array('[^a-z_\-]on\w*','xmlns'); if ($is_image === TRUE) { /* - * Adobe Photoshop puts XML metadata into JFIF images, including namespacing, - * so we have to allow this for images. -Paul - */ + * Adobe Photoshop puts XML metadata into JFIF images, including namespacing, + * so we have to allow this for images. -Paul + */ unset($event_handlers[array_search('xmlns', $event_handlers)]); } $str = preg_replace("#<([^><]+?)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str); /* - * Sanitize naughty HTML elements - * - * If a tag containing any of the words in the list - * below is found, the tag gets converted to entities. - * - * So this: - * Becomes: <blink> - * - */ + * Sanitize naughty HTML elements + * + * If a tag containing any of the words in the list + * below is found, the tag gets converted to entities. + * + * So this: + * Becomes: <blink> + * + */ $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', array($this, '_sanitize_naughty_html'), $str); /* - * Sanitize naughty scripting elements - * - * Similar to above, only instead of looking for - * tags it looks for PHP and JavaScript commands - * that are disallowed. Rather than removing the - * code, it simply converts the parenthesis to entities - * rendering the code un-executable. - * - * For example: eval('some code') - * Becomes: eval('some code') - * - */ + * Sanitize naughty scripting elements + * + * Similar to above, only instead of looking for + * tags it looks for PHP and JavaScript commands + * that are disallowed. Rather than removing the + * code, it simply converts the parenthesis to entities + * rendering the code un-executable. + * + * For example: eval('some code') + * Becomes: eval('some code') + * + */ $str = preg_replace('#(alert|cmd|passthru|eval|exec|expression|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $str); - + /* - * Final clean up - * - * This adds a bit of extra precaution in case - * something got through the above filters - * - */ + * Final clean up + * + * This adds a bit of extra precaution in case + * something got through the above filters + * + */ foreach ($this->never_allowed_str as $key => $val) { $str = str_replace($key, $val, $str); } - + foreach ($this->never_allowed_regex as $key => $val) { $str = preg_replace("#".$key."#i", $val, $str); } /* - * Images are Handled in a Special Way - * - Essentially, we want to know that after all of the character conversion is done whether - * any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean. - * However, if the string post-conversion does not matched the string post-removal of XSS, - * then it fails, as there was unwanted XSS code found and removed/changed during processing. - */ + * Images are Handled in a Special Way + * - Essentially, we want to know that after all of the character conversion is done whether + * any unwanted, likely XSS, code was found. If not, we return TRUE, as the image is clean. + * However, if the string post-conversion does not matched the string post-removal of XSS, + * then it fails, as there was unwanted XSS code found and removed/changed during processing. + */ if ($is_image === TRUE) { @@ -790,7 +798,7 @@ class CI_Input { return FALSE; } } - + log_message('debug', "XSS Filtering completed"); return $str; } @@ -798,11 +806,11 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Random Hash for protecting URLs - * - * @access public - * @return string - */ + * Random Hash for protecting URLs + * + * @access public + * @return string + */ function xss_hash() { if ($this->xss_hash == '') @@ -819,21 +827,21 @@ class CI_Input { } // -------------------------------------------------------------------- - + /** - * Remove Invisible Characters - * - * This prevents sandwiching null characters - * between ascii characters, like Java\0script. - * - * @access public - * @param string - * @return string - */ + * Remove Invisible Characters + * + * This prevents sandwiching null characters + * between ascii characters, like Java\0script. + * + * @access public + * @param string + * @return string + */ function _remove_invisible_characters($str) { static $non_displayables; - + if ( ! isset($non_displayables)) { // every control character except newline (dec 10), carriage return (dec 13), and horizontal tab (dec 09), @@ -857,58 +865,58 @@ class CI_Input { } // -------------------------------------------------------------------- - + /** - * Compact Exploded Words - * - * Callback function for xss_clean() to remove whitespace from - * things like j a v a s c r i p t - * - * @access public - * @param type - * @return type - */ + * Compact Exploded Words + * + * Callback function for xss_clean() to remove whitespace from + * things like j a v a s c r i p t + * + * @access public + * @param type + * @return type + */ function _compact_exploded_words($matches) { return preg_replace('/\s+/s', '', $matches[1]).$matches[2]; } // -------------------------------------------------------------------- - + /** - * Sanitize Naughty HTML - * - * Callback function for xss_clean() to remove naughty HTML elements - * - * @access private - * @param array - * @return string - */ + * Sanitize Naughty HTML + * + * Callback function for xss_clean() to remove naughty HTML elements + * + * @access private + * @param array + * @return string + */ function _sanitize_naughty_html($matches) { // encode opening brace $str = '<'.$matches[1].$matches[2].$matches[3]; - + // encode captured opening or closing brace to prevent recursive vectors $str .= str_replace(array('>', '<'), array('>', '<'), $matches[4]); - + return $str; } // -------------------------------------------------------------------- - + /** - * JS Link Removal - * - * Callback function for xss_clean() to sanitize links - * This limits the PCRE backtracks, making it more performance friendly - * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in - * PHP 5.2+ on link-heavy strings - * - * @access private - * @param array - * @return string - */ + * JS Link Removal + * + * Callback function for xss_clean() to sanitize links + * This limits the PCRE backtracks, making it more performance friendly + * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in + * PHP 5.2+ on link-heavy strings + * + * @access private + * @param array + * @return string + */ function _js_link_removal($match) { $attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])); @@ -916,17 +924,17 @@ class CI_Input { } /** - * JS Image Removal - * - * Callback function for xss_clean() to sanitize image tags - * This limits the PCRE backtracks, making it more performance friendly - * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in - * PHP 5.2+ on image tag heavy strings - * - * @access private - * @param array - * @return string - */ + * JS Image Removal + * + * Callback function for xss_clean() to sanitize image tags + * This limits the PCRE backtracks, making it more performance friendly + * and prevents PREG_BACKTRACK_LIMIT_ERROR from being triggered in + * PHP 5.2+ on image tag heavy strings + * + * @access private + * @param array + * @return string + */ function _js_img_removal($match) { $attributes = $this->_filter_attributes(str_replace(array('<', '>'), '', $match[1])); @@ -936,30 +944,30 @@ class CI_Input { // -------------------------------------------------------------------- /** - * Attribute Conversion - * - * Used as a callback for XSS Clean - * - * @access public - * @param array - * @return string - */ + * Attribute Conversion + * + * Used as a callback for XSS Clean + * + * @access public + * @param array + * @return string + */ function _convert_attribute($match) { - return str_replace(array('>', '<'), array('>', '<'), $match[0]); + return str_replace(array('>', '<', '\\'), array('>', '<', '\\\\'), $match[0]); } // -------------------------------------------------------------------- /** - * HTML Entity Decode Callback - * - * Used as a callback for XSS Clean - * - * @access public - * @param array - * @return string - */ + * HTML Entity Decode Callback + * + * Used as a callback for XSS Clean + * + * @access public + * @param array + * @return string + */ function _html_entity_decode_callback($match) { $CFG =& load_class('Config'); @@ -971,20 +979,20 @@ class CI_Input { // -------------------------------------------------------------------- /** - * HTML Entities Decode - * - * This function is a replacement for html_entity_decode() - * - * In some versions of PHP the native function does not work - * when UTF-8 is the specified character set, so this gives us - * a work-around. More info here: - * http://bugs.php.net/bug.php?id=25670 - * - * @access private - * @param string - * @param string - * @return string - */ + * HTML Entities Decode + * + * This function is a replacement for html_entity_decode() + * + * In some versions of PHP the native function does not work + * when UTF-8 is the specified character set, so this gives us + * a work-around. More info here: + * http://bugs.php.net/bug.php?id=25670 + * + * @access private + * @param string + * @param string + * @return string + */ /* ------------------------------------------------- /* Replacement for html_entity_decode() /* -------------------------------------------------*/ @@ -1025,16 +1033,16 @@ class CI_Input { } // -------------------------------------------------------------------- - + /** - * Filter Attributes - * - * Filters tag attributes for consistency and safety - * - * @access public - * @param string - * @return string - */ + * Filter Attributes + * + * Filters tag attributes for consistency and safety + * + * @access public + * @param string + * @return string + */ function _filter_attributes($str) { $out = ''; @@ -1043,8 +1051,8 @@ class CI_Input { { foreach ($matches[0] as $match) { - $out .= "{$match}"; - } + $out .= preg_replace("#/\*.*?\*/#s", '', $match); + } } return $out;