Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

xss_clean adds semicolon to anything with an & #1674

Raffy6250 opened this Issue Jul 31, 2012 · 6 comments


None yet
4 participants

I’ve noticed that the xss_clean function seems to add a semi-colon to any string that contains an ampersand.
For example, if someone writes “me&you” in a textarea and I run it through the xss_clean function, it will return “me&you;”.


dribes commented Aug 2, 2012

I will take a look at this one

dribes commented Aug 2, 2012

should be fixed replacing regexp on line #797 in the system/core/Security.php by this one :

    $str = preg_replace('#(^&\#?[0-9a-z]{2,})([\x00-\x20])*;?#i', '\\1;\\2', $str);

narfbg commented Nov 4, 2012

Duplicate of #1261.

@narfbg narfbg closed this Nov 4, 2012

bigprof commented Sep 15, 2015

Could this be a fix?
$str = preg_replace('#(&\#[0-9a-z]{2,})([\x00-\x20])*;?#i', "\\1;\\2", $str);


narfbg commented Sep 15, 2015

@bigprof This was 3 years ago ... If you tried the latest CI versions you'd see that it is already fixed.

bigprof commented Sep 15, 2015

@narfbg I was using this component as a stand-alone in a project rather than the entire CodeIgniter framework. Sorry for the misunderstanding.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment