refactor: improve on Security library class

Signed-off-by: otengkwame <developerkwame@gmail.com>

Author: otengkwame

CodeIgniter/Framework/core/Security.php

@@ -386,14 +386,34 @@ public function xss_clean($str, $is_image = false)
 		 *
 		 * Note: Use rawurldecode() so it does not remove plus signs
 		 */
-		if (stripos($str, '%') !== false) {
-			do {
-				$oldstr = $str;
-				$str = rawurldecode($str);
-				$str = preg_replace_callback('#%(?:\s*[0-9a-f]){2,}#i', [$this, '_urldecodespaces'], $str);
-			} while ($oldstr !== $str);
-			unset($oldstr);
-		}
+
+		// List of known malicious encoded patterns (hexadecimal)
+		$malicious_encodings = [
+			'%3C' => '<',  // <
+			'%3E' => '>',  // >
+			'%22' => '"',  // "
+			'%27' => "'",  // '
+			'%3D' => '=',  // =
+			'%28' => '(',  // (
+			'%29' => ')',  // )
+			'%2F' => '/',  // /
+			'%5C' => '\\', // \
+			'%3B' => ';',  // ;
+		];
+
+		// Normalize optionally spaced encodings like "% 3C"
+		$str = preg_replace_callback('/%[\s]*[0-9a-fA-F]{2}/', function ($m) use ($malicious_encodings) {
+			// Normalize encoding: remove spaces
+			$clean = strtoupper(preg_replace('/\s+/', '', $m[0]));  // e.g., "% 3C" → "%3C"
+
+			// If the encoding is a known malicious encoding, replace it
+			if (isset($malicious_encodings[$clean])) {
+				return $malicious_encodings[$clean];
+			}
+
+			// Return as-is if not malicious (e.g., malformed encodings like %2G, %3)
+			return $m[0];
+		}, $str);
 
 		/*
 		 * Convert character entities to ASCII
@@ -631,12 +651,6 @@ public function get_random_bytes($length)
 			}
 		}
 
-		// Unfortunately, none of the following PRNGs is guaranteed to exist ...
-		if (defined('MCRYPT_DEV_URANDOM') && ($output = mcrypt_create_iv($length, MCRYPT_DEV_URANDOM)) !== false) {
-			return $output;
-		}
-
-
 		if (is_readable('/dev/urandom') && ($fp = fopen('/dev/urandom', 'rb')) !== false) {
 			// Try not to waste entropy ...
 			is_php('5.4') && stream_set_chunk_size($fp, $length);
@@ -779,24 +793,6 @@ public function strip_image_tags($str)
 
 	// ----------------------------------------------------------------
 
-	/**
-	 * URL-decode taking spaces into account
-	 *
-	 * @see		https://github.com/bcit-ci/CodeIgniter/issues/4877
-	 * @param	array	$matches
-	 * @return	string
-	 */
-	protected function _urldecodespaces($matches)
-	{
-		$input    = $matches[0];
-		$nospaces = preg_replace('#\s+#', '', $input);
-		return ($nospaces === $input)
-			? $input
-			: rawurldecode($nospaces);
-	}
-
-	// ----------------------------------------------------------------
-
 	/**
 	 * Compact Exploded Words
 	 *