summaryrefslogtreecommitdiffstats
path: root/user_guide_src/source/changelog.rst
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-01-08 16:19:03 +0100
committerAndrey Andreev <narf@devilix.net>2014-01-08 16:19:03 +0100
commit80a16b1cd0d4716b5ea41497685a8fac02e34333 (patch)
tree3705897a0412c65f0ff4e01f6733a67217064bff /user_guide_src/source/changelog.rst
parentfb614478990694c3622baee2d01b414638c26508 (diff)
Fix #346
When ['global_xss_filtering'] was turned on, the , , & superglobals were automatically overwritten. This resulted in one of the following problems: - xss_clean() being called twice - Inability to retrieve the original (not filtered) value XSS filtering is now only applied on demand by the Input class, and the default value for the parameter in CI_Input methods is changed to NULL. Unless a boolean value is passed to them, whether XSS filtering is applied depends on the ['global_xss_filtering'] value.
Diffstat (limited to 'user_guide_src/source/changelog.rst')
-rw-r--r--user_guide_src/source/changelog.rst2
1 files changed, 2 insertions, 0 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 3fa27ffa8..85cd60293 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -402,6 +402,7 @@ Release Date: Not Released
- Changed method ``valid_ip()`` to use PHP's native ``filter_var()`` function.
- Changed internal method ``_sanitize_globals()`` to skip enforcing reversal of *register_globals* in PHP 5.4+, where this functionality no longer exists.
- Changed methods ``get()``, ``post()``, ``get_post()``, ``cookie()``, ``server()``, ``user_agent()`` to return NULL instead of FALSE when no value is found.
+ - Changed default value of the ``$xss_clean`` parameter to NULL for all methods that utilize it, the default value is now determined by the ``$config['global_xss_filtering']`` setting.
- Added method ``post_get()`` and changed ``get_post()`` to search in GET data first. Both methods' names now properly match their GET/POST data search priorities.
- Changed method ``_fetch_from_array()`` to parse array notation in field name.
- Added an option for ``_clean_input_keys()`` to return FALSE instead of terminating the whole script.
@@ -646,6 +647,7 @@ Bug fixes for 3.0
- Fixed a bug (#2143) - :doc:`Form Validation Library <libraries/form_validation>` didn't check for rule groups named in a *controller/method* manner when trying to load from a config file.
- Fixed a bug (#2762) - :doc:`Hooks Class <general/hooks>` didn't properly check if the called class/function exists.
- Fixed a bug (#148) - while sanitizing input data, ``CI_Input::_clean_input_data()`` assumed that it is URL-encoded, stripping certain character sequences from it.
+- Fixed a bug (#346) - with ``$config['global_xss_filtering']`` turned on, the ``$_GET``, ``$_POST``, ``$_COOKIE`` and ``$_SERVER`` superglobals were overwritten during initialization time, resulting in XSS filtering being either performed twice or there was no possible way to get the original data, even though options for this do exist.
Version 2.1.4
=============