summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Sowell <robin.sowell@ellislab.com>2010-03-18 14:44:55 +0100
committerRobin Sowell <robin.sowell@ellislab.com>2010-03-18 14:44:55 +0100
commit66a3fc0a7dc6ae84da4a1e852e4458fda7714567 (patch)
treeb3af2e9f7e8f830b2f00029aae9c648c64f388d0
parent4e8d66aeea7f03b75df5a387a54fce1889834ded (diff)
Added a $xss_clean class variable to the XMLRPC library, enabling control over the use of the Security library's xss_clean() method.
-rw-r--r--system/libraries/Xmlrpc.php9
-rw-r--r--system/libraries/Xmlrpcs.php10
-rw-r--r--user_guide/changelog.html1
-rw-r--r--user_guide/libraries/xmlrpc.html2
4 files changed, 18 insertions, 4 deletions
diff --git a/system/libraries/Xmlrpc.php b/system/libraries/Xmlrpc.php
index c46d52cdb..2e0df5c9b 100644
--- a/system/libraries/Xmlrpc.php
+++ b/system/libraries/Xmlrpc.php
@@ -63,6 +63,7 @@ class CI_Xmlrpc {
var $result;
var $response = array(); // Response from remote server
+ var $xss_clean = TRUE;
//-------------------------------------
// VALUES THAT MULTIPLE CLASSES NEED
@@ -513,7 +514,7 @@ class XML_RPC_Response
}
else
{
- $array[$key] = $CI->security->xss_clean($array[$key]);
+ $array[$key] = ($this->xss_clean) ? $CI->security->xss_clean($array[$key]) : $array[$key];
}
}
@@ -529,7 +530,7 @@ class XML_RPC_Response
}
else
{
- $result = $CI->security->xss_clean($result);
+ $result = ($this->xss_clean) ? $CI->security->xss_clean($result) : $result;
}
}
@@ -1129,7 +1130,7 @@ class XML_RPC_Message extends CI_Xmlrpc
{
// 'bits' is for the MetaWeblog API image bits
// @todo - this needs to be made more general purpose
- $array[$key] = ($key == 'bits') ? $array[$key] : $CI->security->xss_clean($array[$key]);
+ $array[$key] = ($key == 'bits' OR $this->xss_clean == FALSE) ? $array[$key] : $CI->security->xss_clean($array[$key]);
}
}
@@ -1149,7 +1150,7 @@ class XML_RPC_Message extends CI_Xmlrpc
}
else
{
- $parameters[] = $CI->security->xss_clean($a_param);
+ $parameters[] = ($this->xss_clean) ? $CI->security->xss_clean($a_param) : $a_param;
}
}
}
diff --git a/system/libraries/Xmlrpcs.php b/system/libraries/Xmlrpcs.php
index fe1c99bf5..c1fe649f9 100644
--- a/system/libraries/Xmlrpcs.php
+++ b/system/libraries/Xmlrpcs.php
@@ -81,6 +81,11 @@ class CI_Xmlrpcs extends CI_Xmlrpc
{
$this->object = $config['object'];
}
+
+ if (isset($config['xss_clean']))
+ {
+ $this->xss_clean = $config['xss_clean'];
+ }
}
//-------------------------------------
@@ -247,6 +252,11 @@ class CI_Xmlrpcs extends CI_Xmlrpc
// Check to see if it is a system call
$system_call = (strncmp($methName, 'system', 5) == 0) ? TRUE : FALSE;
+ if ($this->xss_clean == FALSE)
+ {
+ $m->xss_clean = FALSE;
+ }
+
//-------------------------------------
// Valid Method
//-------------------------------------
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 69d7d4b88..5d2ca2f39 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -89,6 +89,7 @@ Hg Tag: </p>
<li>Added HTTP headers and Config information to the <a href="general/profiling.html">Profiler</a> output.</li>
<li>Added Chrome and Flock to the list of detectable browsers by <kbd>browser()</kbd> in the <a href="libraries/user_agent.html">User Agent Class</a>.</li>
<li>The <a href="libraries/unit_testing.html">Unit Test Class</a> now has an optional "notes" field available to it, and allows for discrete display of test result items using <kbd>$this->unit->set_test_items()</kbd>.</li>
+ <li>Added a <kbd>$xss_clean</kbd> class variable to the XMLRPC library, enabling control over the use of the Security library's <kbd>xss_clean()</kbd> method.</li>
</ul>
</li>
<li>Database
diff --git a/user_guide/libraries/xmlrpc.html b/user_guide/libraries/xmlrpc.html
index 9f163ae58..6e929f1fb 100644
--- a/user_guide/libraries/xmlrpc.html
+++ b/user_guide/libraries/xmlrpc.html
@@ -200,6 +200,8 @@ server will load the <dfn>My_blog</dfn> class and call the <dfn>update_entry</df
<p>The function names in the above example are arbitrary. You'll decide what they should be called on your server,
or if you are using standardized APIs, like the Blogger or MetaWeblog API, you'll use their function names.</p>
+
+<p>There are two additional configuration keys you may make use of when initializing the server class: <var>debug</var> can be set to TRUE in order to enable debugging, and <var>xss_clean</var> may be set to FALSE to prevent sending data through the Security library's xss_clean function.
<h2>Processing Server Requests</h2>