Skip to content

Commit

Permalink
update sanitizeCSS to ensure no javascript injection occurs, see #2
Browse files Browse the repository at this point in the history
  • Loading branch information
FreelancePHP committed Aug 14, 2014
1 parent 43da2f3 commit 379d93e
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion lib/io/Input.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,7 +350,13 @@ static function sanitizeCSS($input)
* to execute remote code
*/
$output = preg_replace('/(.)*(@)+(.)*/', '', $output);
return $output;
$bad_chars = array("\"", "'", "(", "\\\\", "<", "&");

$safe_chars = array("&quot;", "&apos;", "&lpar;", "&bsol;", "&lt;", "&amp;");

$output = str_replace($bad_chars, $safe_chars, $output);

return stripslashes($output);
}

/**
Expand Down

0 comments on commit 379d93e

Please sign in to comment.