diff options
author | Andrey Andreev <narf@devilix.net> | 2014-01-08 16:19:03 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-01-08 16:19:03 +0100 |
commit | 80a16b1cd0d4716b5ea41497685a8fac02e34333 (patch) | |
tree | 3705897a0412c65f0ff4e01f6733a67217064bff /user_guide_src/source/installation | |
parent | fb614478990694c3622baee2d01b414638c26508 (diff) |
Fix #346
When ['global_xss_filtering'] was turned on, the , , &
superglobals were automatically overwritten. This resulted in one of the following problems:
- xss_clean() being called twice
- Inability to retrieve the original (not filtered) value
XSS filtering is now only applied on demand by the Input class, and the default value for
the parameter in CI_Input methods is changed to NULL. Unless a boolean value is
passed to them, whether XSS filtering is applied depends on the ['global_xss_filtering']
value.
Diffstat (limited to 'user_guide_src/source/installation')
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 45 |
1 files changed, 38 insertions, 7 deletions
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 41153df16..f0759a15e 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -188,8 +188,39 @@ Many methods and functions now return NULL instead of FALSE when the required it - element() - elements() +******************************* +Step 11: Usage of XSS filtering +******************************* + +Many functions in CodeIgniter allow you to use its XSS filtering feature +on demand by passing a boolean parameter. The default value of that +parameter used to be boolean FALSE, but it is now changed to NULL and it +will be dynamically determined by your ``$config['global_xss_filtering']`` +value. + +If you used to manually pass a boolean value for the ``$xss_filter`` +parameter or if you've always had ``$config['global_xss_filtering']`` set +to FALSE, then this change doesn't concern you. + +Otherwise however, please review your usage of the following functions: + + - :doc:`Input Library <../libraries/input>` + + - input->get() + - input->post() + - input->get_post() + - input->cookie() + - input->server() + - input->input_stream() + + - :doc:`Cookie Helper <../helpers/cookie_helper>` :func:`get_cookie()` + +.. important:: Another related change is that the ``$_GET``, ``$_POST``, + ``$_COOKIE`` and ``$_SERVER`` superglobals are no longer + automatically overwritten when global XSS filtering is turned on. + ******************************************************** -Step 11: Update usage of Input Class's get_post() method +Step 12: Update usage of Input Class's get_post() method ******************************************************** Previously, the :doc:`Input Class <../libraries/input>` method ``get_post()`` @@ -200,14 +231,14 @@ A method has been added, ``post_get()``, which searches in POST then in GET, as ``get_post()`` was doing before. *********************************************************************** -Step 12: Update usage of Directory Helper's directory_map() function +Step 13: Update usage of Directory Helper's directory_map() function *********************************************************************** In the resulting array, directories now end with a trailing directory separator (i.e. a slash, usually). ************************************************************* -Step 13: Update usage of Database Forge's drop_table() method +Step 14: Update usage of Database Forge's drop_table() method ************************************************************* Up until now, ``drop_table()`` added an IF EXISTS clause by default or it didn't work @@ -229,7 +260,7 @@ If your application relies on IF EXISTS, you'll have to change its usage. all drivers with the exception of ODBC. *********************************************************** -Step 14: Change usage of Email library with multiple emails +Step 15: Change usage of Email library with multiple emails *********************************************************** The :doc:`Email Library <../libraries/email>` will automatically clear the @@ -244,7 +275,7 @@ pass FALSE as the first parameter in the ``send()`` method: } *************************************************** -Step 15: Update your Form_validation language lines +Step 16: Update your Form_validation language lines *************************************************** Two improvements have been made to the :doc:`Form Validation Library @@ -275,7 +306,7 @@ files and error messages format: later. **************************************************************** -Step 16: Remove usage of (previously) deprecated functionalities +Step 17: Remove usage of (previously) deprecated functionalities **************************************************************** In addition to the ``$autoload['core']`` configuration setting, there's a @@ -491,7 +522,7 @@ CodeIgniter 3.1+. sooner rather than later. *********************************************************** -Step 17: Check your usage of Text helper highlight_phrase() +Step 18: Check your usage of Text helper highlight_phrase() *********************************************************** The default HTML tag used by :doc:`Text Helper <../helpers/text_helper>` function |