summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2016-03-07 10:34:43 +0100
committerAndrey Andreev <narf@devilix.net>2016-03-07 10:34:43 +0100
commite6a5f797de7381791537b736eb83b71c6fb28b39 (patch)
tree335db186e36d36ad7167e57116197b39703354a7
parent3c0d8da56b8535bb3ab563256e221c81a4a96e4a (diff)
[ci skip] Fix Profiler not applying htmlspecialchars() to all inputs
-rw-r--r--system/libraries/Profiler.php44
-rw-r--r--user_guide_src/source/changelog.rst1
2 files changed, 19 insertions, 26 deletions
diff --git a/system/libraries/Profiler.php b/system/libraries/Profiler.php
index cc7641436..cf455d3da 100644
--- a/system/libraries/Profiler.php
+++ b/system/libraries/Profiler.php
@@ -314,12 +314,14 @@ class CI_Profiler {
foreach ($_GET as $key => $val)
{
- is_int($key) OR $key = "'".$key."'";
+ is_int($key) OR $key = "'".htmlspecialchars($key, ENT_QUOTES, config_item('charset'))."'";
+ $val = (is_array($val) OR is_object($val))
+ ? '<pre>'.htmlspecialchars(print_r($val, TRUE), ENT_QUOTES, config_item('charset'))
+ : htmlspecialchars($val, ENT_QUOTES, config_item('charset'));
$output .= '<tr><td style="width:50%;color:#000;background-color:#ddd;padding:5px;">&#36;_GET['
.$key.']&nbsp;&nbsp; </td><td style="width:50%;padding:5px;color:#cd6e00;font-weight:normal;background-color:#ddd;">'
- .((is_array($val) OR is_object($val)) ? '<pre>'.htmlspecialchars(stripslashes(print_r($val, TRUE))).'</pre>' : htmlspecialchars(stripslashes($val)))
- ."</td></tr>\n";
+ .$val."</td></tr>\n";
}
$output .= "</table>\n";
@@ -352,36 +354,26 @@ class CI_Profiler {
foreach ($_POST as $key => $val)
{
- is_int($key) OR $key = "'".$key."'";
+ is_int($key) OR $key = "'".htmlspecialchars($key, ENT_QUOTES, config_item('charset'))."'";
+ $val = (is_array($val) OR is_object($val))
+ ? '<pre>'.htmlspecialchars(print_r($val, TRUE), ENT_QUOTES, config_item('charset'))
+ : htmlspecialchars($val, ENT_QUOTES, config_item('charset'));
$output .= '<tr><td style="width:50%;padding:5px;color:#000;background-color:#ddd;">&#36;_POST['
- .$key.']&nbsp;&nbsp; </td><td style="width:50%;padding:5px;color:#009900;font-weight:normal;background-color:#ddd;">';
-
- if (is_array($val) OR is_object($val))
- {
- $output .= '<pre>'.htmlspecialchars(stripslashes(print_r($val, TRUE))).'</pre>';
- }
- else
- {
- $output .= htmlspecialchars(stripslashes($val));
- }
-
- $output .= "</td></tr>\n";
+ .$key.']&nbsp;&nbsp; </td><td style="width:50%;padding:5px;color:#009900;font-weight:normal;background-color:#ddd;">'
+ .$val."</td></tr>\n";
}
foreach ($_FILES as $key => $val)
{
- is_int($key) OR $key = "'".$key."'";
+ is_int($key) OR $key = "'".htmlspecialchars($key, ENT_QUOTES, config_item('charset'))."'";
+ $val = (is_array($val) OR is_object($val))
+ ? '<pre>'.htmlspecialchars(print_r($val, TRUE), ENT_QUOTES, config_item('charset'))
+ : htmlspecialchars($val, ENT_QUOTES, config_item('charset'));
$output .= '<tr><td style="width:50%;padding:5px;color:#000;background-color:#ddd;">&#36;_FILES['
- .$key.']&nbsp;&nbsp; </td><td style="width:50%;padding:5px;color:#009900;font-weight:normal;background-color:#ddd;">';
-
- if (is_array($val) OR is_object($val))
- {
- $output .= '<pre>'.htmlspecialchars(stripslashes(print_r($val, TRUE))).'</pre>';
- }
-
- $output .= "</td></tr>\n";
+ .$key.']&nbsp;&nbsp; </td><td style="width:50%;padding:5px;color:#009900;font-weight:normal;background-color:#ddd;">'
+ .$val."</td></tr>\n";
}
$output .= "</table>\n";
@@ -465,7 +457,7 @@ class CI_Profiler {
foreach (array('HTTP_ACCEPT', 'HTTP_USER_AGENT', 'HTTP_CONNECTION', 'SERVER_PORT', 'SERVER_NAME', 'REMOTE_ADDR', 'SERVER_SOFTWARE', 'HTTP_ACCEPT_LANGUAGE', 'SCRIPT_NAME', 'REQUEST_METHOD',' HTTP_HOST', 'REMOTE_HOST', 'CONTENT_TYPE', 'SERVER_PROTOCOL', 'QUERY_STRING', 'HTTP_ACCEPT_ENCODING', 'HTTP_X_FORWARDED_FOR', 'HTTP_DNT') as $header)
{
- $val = isset($_SERVER[$header]) ? $_SERVER[$header] : '';
+ $val = isset($_SERVER[$header]) ? htmlspecialchars($_SERVER[$header], ENT_QUOTES, config_item('charset')) : '';
$output .= '<tr><td style="vertical-align:top;width:50%;padding:5px;color:#900;background-color:#ddd;">'
.$header.'&nbsp;&nbsp;</td><td style="width:50%;padding:5px;color:#000;background-color:#ddd;">'.$val."</td></tr>\n";
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 12d1fc4a3..4f2bfc04e 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -39,6 +39,7 @@ Bug fixes for 3.0.5
- Fixed a bug where :doc:`Session Library <libraries/sessions>` didn't clean-up internal variables for emulated locks with the 'memcached' driver.
- Fixed a bug where :doc:`Database <database/index>` transactions didn't work with the 'ibase' driver.
- Fixed a bug (#4475) - :doc:`Security Library <libraries/security>` method ``strip_image_tags()`` preserves only the first URL character from non-quoted *src* attributes.
+- Fixed a bug where :doc:`Profiler Library <general/profiling>` didn't apply ``htmlspecialchars()`` to all displayed inputs.
Version 3.0.4
=============