Merge branch '3.1-stable' into develop

Conflicts resolved:
	system/core/CodeIgniter.php
	system/core/Common.php
	system/core/Input.php
	system/helpers/cookie_helper.php
	tests/codeigniter/helpers/html_helper_test.php
	user_guide_src/source/changelog.rst
	user_guide_src/source/conf.py
	user_guide_src/source/installation/downloads.rst
	user_guide_src/source/installation/upgrading.rst
	user_guide_src/source/libraries/input.rst

3 files changed, 14 insertions, 7 deletions

diff --git a/user_guide_src/source/libraries/input.rst b/user_guide_src/source/libraries/input.rst
index 8a0b5f286..7f762e9f0 100644
--- a/user_guide_src/source/libraries/input.rst
+++ b/user_guide_src/source/libraries/input.rst
@@ -242,7 +242,7 @@ Class Reference
 		This method is identical to ``get()``, ``post()`` and ``cookie()``,
 		only it fetches the *php://input* stream data.
 
-	.. php:method:: set_cookie($name = ''[, $value = ''[, $expire = 0[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = FALSE[, $httponly = FALSE]]]]]]])
+	.. php:method:: set_cookie($name = ''[, $value = ''[, $expire = 0[, $domain = ''[, $path = '/'[, $prefix = ''[, $secure = NULL[, $httponly = NULL]]]]]]])
 
 		:param	mixed	$name: Cookie name or an array of parameters
 		:param	string	$value: Cookie value
@@ -295,8 +295,8 @@ Class Reference
 		The prefix is only needed if you need to avoid name collisions with
 		other identically named cookies for your server.
 
-		The secure boolean is only needed if you want to make it a secure cookie
-		by setting it to TRUE.
+		The *httponly* and *secure* flags, when omitted, will default to your
+		``$config['cookie_httponly']`` and ``$config['cookie_secure']`` settings.
 
 		**Discrete Parameters**
 
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index f7604ef00..fc5cba19d 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -40,6 +40,9 @@ browser may attempt to execute.
 		// file failed the XSS test
 	}
 
+.. important:: If you want to filter HTML attribute values, use
+	:php:func:`html_escape()` instead!
+
 *********************************
 Cross-site request forgery (CSRF)
 *********************************
@@ -101,7 +104,11 @@ Class Reference
 		:rtype:	mixed
 
 		Tries to remove XSS exploits from the input data and returns the cleaned string.
-		If the optional second parameter is set to true, it will return boolean TRUE if the image is safe to use and FALSE if malicious data was detected in it.
+		If the optional second parameter is set to true, it will return boolean TRUE if
+		the image is safe to use and FALSE if malicious data was detected in it.
+
+		.. important:: This method is not suitable for filtering HTML attribute vales!
+			Use :php:func:`html_escape()` for that instead.
 
 	.. php:method:: sanitize_filename($str[, $relative_path = FALSE])
 
@@ -162,4 +169,4 @@ Class Reference
 		Used for generating CSRF and XSS tokens.
 
 		.. note:: The output is NOT guaranteed to be cryptographically secure,
-			just the best attempt at that.
\ No newline at end of file
+			just the best attempt at that.
diff --git a/user_guide_src/source/libraries/typography.rst b/user_guide_src/source/libraries/typography.rst
index 1d1e4f3c4..9e1386835 100644
--- a/user_guide_src/source/libraries/typography.rst
+++ b/user_guide_src/source/libraries/typography.rst
@@ -44,7 +44,7 @@ Class Reference
 			$this->load->library('typography');
 			$this->typography->protect_braced_quotes = TRUE;
 
-	.. method auto_typography($str[, $reduce_linebreaks = FALSE])
+	.. php:method:: auto_typography($str[, $reduce_linebreaks = FALSE])
 
 		:param	string	$str: Input string
 		:param	bool	$reduce_linebreaks: Whether to reduce consequitive linebreaks
@@ -104,4 +104,4 @@ Class Reference
 
 		Usage example::
 
-			$string = $this->typography->nl2br_except_pre($string);
\ No newline at end of file
+			$string = $this->typography->nl2br_except_pre($string);