diff options
| author | Derek Jones <derek.jones@ellislab.com> | 2008-02-04 23:02:11 +0100 |
|---|---|---|
| committer | Derek Jones <derek.jones@ellislab.com> | 2008-02-04 23:02:11 +0100 |
| commit | ab32a428c572f859010e990e621df4f34b9dc606 (patch) | |
| tree | aef79e722ffc70ca748d56e730fc8b1fd22e7907 | |
| parent | 5871011bc0778cb50569bbce8358c4b619c09467 (diff) | |
changed URL decoding implementation of xss_clean() to use rawurldecode() to discontinue misconversion of characters to bad entities, and to continue avoidance of unwanted removal of + signs
| -rw-r--r-- | system/libraries/Input.php | 9 | ||||
| -rw-r--r-- | user_guide/changelog.html | 8 |
2 files changed, 11 insertions, 6 deletions
diff --git a/system/libraries/Input.php b/system/libraries/Input.php index 1874b3790..5832d2d80 100644 --- a/system/libraries/Input.php +++ b/system/libraries/Input.php @@ -556,14 +556,11 @@ class CI_Input { *
* <a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">Google</a>
*
- * Note: Normally urldecode() would be easier but it removes plus signs
+ * Note: Use rawurldecode() so it does not remove plus signs
*
*/
- $str = preg_replace("/(%20)+/", '9u3iovBnRThju941s89rKozm', $str);
- $str = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $str);
- $str = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $str);
- $str = str_replace('9u3iovBnRThju941s89rKozm', "%20", $str);
-
+ $str = rawurldecode($str);
+
/*
* Convert character entities to ASCII
*
diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 83e904681..63e45318e 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -58,6 +58,14 @@ Change Log <h1>Change Log</h1>
+<h2>Version 1.6.1</h2>
+<p>Release Date: -- still in development</p>
+
+<ul>
+ <li>Modified xss_clean() to be more intelligent with its handling of URL encoded strings.</li>
+</ul>
+
+
<h2>Version 1.6.0</h2>
<p>Release Date: January 30, 2008 </p>
<ul>
|