Merge branch 'develop' of github.com:EllisLab/CodeIgniter into develop

5 files changed, 53 insertions, 15 deletions

diff --git a/system/core/Common.php b/system/core/Common.php
index db9fbeb9f..d79375475 100644
--- a/system/core/Common.php
+++ b/system/core/Common.php
@@ -132,9 +132,9 @@ if ( ! function_exists('load_class'))
 
 		$name = FALSE;
 
-		// Look for the class first in the native system/libraries folder
-		// thenin the local application/libraries folder
-		foreach (array(BASEPATH, APPPATH) as $path)
+		// Look for the class first in the local application/libraries folder
+		// then in the native system/libraries folder
+		foreach (array(APPPATH, BASEPATH) as $path)
 		{
 			if (file_exists($path.$directory.'/'.$class.'.php'))
 			{
@@ -536,5 +536,29 @@ if ( ! function_exists('remove_invisible_characters'))
 	}
 }
 
+// ------------------------------------------------------------------------
+
+/**
+* Returns HTML escaped variable
+*
+* @access	public
+* @param	mixed
+* @return	mixed
+*/
+if ( ! function_exists('html_escape'))
+{
+	function html_escape($var)
+	{
+		if (is_array($var))
+		{
+			return array_map('html_escape', $var);
+		}
+		else
+		{
+			return htmlspecialchars($var, ENT_QUOTES, config_item('charset'));
+		}
+	}
+}
+
 /* End of file Common.php */
 /* Location: ./system/core/Common.php */
\ No newline at end of file
diff --git a/system/core/Lang.php b/system/core/Lang.php
index 5ac671838..d61d1029a 100755
--- a/system/core/Lang.php
+++ b/system/core/Lang.php
@@ -112,7 +112,7 @@ class CI_Lang {
 		}
 
 
-		if ( ! isset($lang))
+		if ( ! isset($lang) OR ! is_array($lang))
 		{
 			log_message('error', 'Language file contains no data: language/'.$idiom.'/'.$langfile);
 			return;
@@ -124,7 +124,7 @@ class CI_Lang {
 		}
 
 		$this->is_loaded[] = $langfile;
-		$this->language = array_merge($this->language, $lang);
+		$this->language = $this->language + $lang;
 		unset($lang);
 
 		log_message('debug', 'Language file loaded: language/'.$idiom.'/'.$langfile);
diff --git a/system/core/Loader.php b/system/core/Loader.php
index e7fa3d3f6..de0fc06d2 100755
--- a/system/core/Loader.php
+++ b/system/core/Loader.php
@@ -127,7 +127,7 @@ class CI_Loader {
 		$this->_ci_library_paths = array(APPPATH, BASEPATH);
 		$this->_ci_helper_paths = array(APPPATH, BASEPATH);
 		$this->_ci_model_paths = array(APPPATH);
-		$this->_ci_view_paths = array(APPPATH.'views/'	=> TRUE);
+		$this->_ci_view_paths = array(VIEWPATH	=> TRUE);
 
 		log_message('debug', "Loader Class Initialized");
 	}
@@ -1106,7 +1106,7 @@ class CI_Loader {
 	 * @param	array
 	 * @return	void
 	 */
-	private function _ci_autoloader()
+	protected function _ci_autoloader()
 	{
 		if (defined('ENVIRONMENT') AND file_exists(APPPATH.'config/'.ENVIRONMENT.'/autoload.php'))
 		{
diff --git a/system/core/Security.php b/system/core/Security.php
index dcc680a11..342455f27 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -33,6 +33,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_xss_hash			= '';
+	
 	/**
 	 * Random Hash for Cross Site Request Forgery Protection Cookie
 	 *
@@ -40,6 +41,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_hash			= '';
+	
 	/**
 	 * Expiration time for Cross Site Request Forgery Protection Cookie
 	 * Defaults to two hours (in seconds)
@@ -48,6 +50,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_expire			= 7200;
+	
 	/**
 	 * Token name for Cross Site Request Forgery Protection Cookie
 	 *
@@ -55,6 +58,7 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_token_name		= 'ci_csrf_token';
+	
 	/**
 	 * Cookie name for Cross Site Request Forgery Protection Cookie
 	 *
@@ -62,12 +66,14 @@ class CI_Security {
 	 * @access protected
 	 */
 	protected $_csrf_cookie_name	= 'ci_csrf_token';
+	
 	/**
 	 * List of never allowed strings
 	 *
 	 * @var array
 	 * @access protected
 	 */
+	
 	protected $_never_allowed_str = array(
 					'document.cookie'	=> '[removed]',
 					'document.write'	=> '[removed]',
@@ -80,7 +86,6 @@ class CI_Security {
 					'<![CDATA['			=> '&lt;![CDATA['
 	);
 
-	/* never allowed, regex replacement */
 	/**
 	 * List of never allowed regex replacement
 	 *
@@ -134,6 +139,16 @@ class CI_Security {
 		{
 			return $this->csrf_set_cookie();
 		}
+		
+		// Check if URI has been whitelisted from CSRF checks
+		if ($exclude_uris = config_item('csrf_exclude_uris'))
+		{
+			$uri = load_class('URI', 'core');
+			if (in_array($uri->uri_string(), $exclude_uris))
+			{
+				return $this;
+			}
+		}
 
 		// Do the tokens exist in both the _POST and _COOKIE arrays?
 		if ( ! isset($_POST[$this->_csrf_token_name]) OR
@@ -156,9 +171,9 @@ class CI_Security {
 		unset($_COOKIE[$this->_csrf_cookie_name]);
 		$this->_csrf_set_hash();
 		$this->csrf_set_cookie();
-
-		log_message('debug', "CSRF token verified ");
-
+		
+		log_message('debug', "CSRF token verified");
+		
 		return $this;
 	}
 
@@ -869,7 +884,6 @@ class CI_Security {
 	}
 
 }
-// END Security Class
 
 /* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
+/* Location: ./system/libraries/Security.php */
\ No newline at end of file
diff --git a/system/core/URI.php b/system/core/URI.php
index a3ae20cc3..8946bc76b 100755
--- a/system/core/URI.php
+++ b/system/core/URI.php
@@ -175,7 +175,7 @@ class CI_URI {
 	 * @access	private
 	 * @return	string
 	 */
-	private function _detect_uri()
+	protected function _detect_uri()
 	{
 		if ( ! isset($_SERVER['REQUEST_URI']) OR ! isset($_SERVER['SCRIPT_NAME']))
 		{
@@ -232,7 +232,7 @@ class CI_URI {
 	 * @access	private
 	 * @return	string
 	 */
-	private function _parse_cli_args()
+	protected function _parse_cli_args()
 	{
 		$args = array_slice($_SERVER['argv'], 1);