Fix #148

CI_Input::_clean_input_data() assumed that all input data is URL-encoded while sanitizing it. However, PHP already performs URL-decoding on it, so this is either redudant or overly intrusive as it resulted in many, many reports of data containing '%' followed by 1 numeric characters being essentially destroyed. Supersedes PR #1229
author: Andrey Andreev <narf@devilix.net> 2014-01-08 15:07:31 +0100
committer: Andrey Andreev <narf@devilix.net> 2014-01-08 15:07:31 +0100
commit: 5ac428bea999a332b46b17fe26ee0045e5cfd39c (patch)
tree: 7c7c758b77d39690093e68132026677a1a7f0b8b /system/core/Input.php
parent: 119d8a7547e155edaaa53682b9247cd7e80d8c9d (diff)
1 files changed, 6 insertions, 4 deletions
diff --git a/system/core/Input.php b/system/core/Input.php
index ded462190..164867636 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -687,9 +687,11 @@ class CI_Input {
 			// but that when present will trip our 'Disallowed Key Characters' alarm
 			// http://www.ietf.org/rfc/rfc2109.txt
 			// note that the key names below are single quoted strings, and are not PHP variables
-			unset($_COOKIE['$Version']);
-			unset($_COOKIE['$Path']);
-			unset($_COOKIE['$Domain']);
+			unset(
+				$_COOKIE['$Version'],
+				$_COOKIE['$Path'],
+				$_COOKIE['$Domain']
+			);
 
 			foreach ($_COOKIE as $key => $val)
 			{
@@ -756,7 +758,7 @@ class CI_Input {
 		}
 
 		// Remove control characters
-		$str = remove_invisible_characters($str);
+		$str = remove_invisible_characters($str, FALSE);
 
 		// Should we filter the input data?
 		if ($this->_enable_xss === TRUE)
author	Andrey Andreev <narf@devilix.net>	2014-01-08 15:07:31 +0100
committer	Andrey Andreev <narf@devilix.net>	2014-01-08 15:07:31 +0100
commit	5ac428bea999a332b46b17fe26ee0045e5cfd39c (patch)
tree	7c7c758b77d39690093e68132026677a1a7f0b8b /system/core/Input.php
parent	119d8a7547e155edaaa53682b9247cd7e80d8c9d (diff)