About 2.1.0 CI_Security class

[eluser]paperen[/eluser]
CI version 2.1.0

Code:

$str = '<p style="margin-top:0.4em;margin-bottom:0.5em;line-height:19px;font-family:sans-serif;font-size:13px;white-space:normal;background-color:#FFFFFF;">Broken p</p>';
// <p  p</p>
echo $this->security->xss_clean( $str );
exit;

I think there's something wrong with this regex in _remove_evil_attributes function

Code:

$str = preg_replace("/<(/?[^><]+?)([^A-Za-z-])(".implode('|', $attribs).")([s><])([><]*)/i", '<$1$2$4$5', $str, -1, $count);

But i can't fix it :-D

[eluser]skunkbad[/eluser]
What happens when you do this:

Code:

var_dump( $this->security->xss_clean( $str ) );

[eluser]Dan Storm[/eluser]
What output did you expect?
$this->security->xss_clean() is meant for securing your input against XSS?

[eluser]paperen[/eluser]
[quote author="Dan Storm" date="1333221782"]What output did you expect?
$this->security->xss_clean() is meant for securing your input against XSS?[/quote]

I know it meant for securing input against XSS

I set the $config['global_xss_filtering'] = TRUE ,and i post some text edited by CKeditor,i found the struct had been broken

I expect:

Code:

<p>Broken p</p>

not

Code:

<p  p</p>

The HTML had broken

[eluser]paperen[/eluser]
[quote author="skunkbad" date="1333212331"]What happens when you do this:

Code:

var_dump( $this->security->xss_clean( $str ) );

[/quote]

I want to emphasize is the result(html structure was destroyed)

[eluser]Dan Storm[/eluser]
The xss_clean method is not for validating HTML input and is not intended for general use (this has also been stated in the documentation).
This doesn't seem to be a bug, as the xss_clean method seems to correctly treat the input as a possible threat.

[eluser]paperen[/eluser]
this problem fixed in 2.1.2