summaryrefslogtreecommitdiffstats
path: root/user_guide_src
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-12-05 11:00:11 +0100
committerAndrey Andreev <narf@devilix.net>2014-12-05 11:00:11 +0100
commitbfa233f559a50ee0674a209fa56f866edc814fd9 (patch)
treedfdf0aa87b31db69c7c6646b8bbfbc743797edcd /user_guide_src
parentbc11439c5f7fbbb1ef0257f8083c375eeb9dd79c (diff)
Further changes related to issue #47, PR #3323
- Removed a test that was created specifically for the 'convert programmatic characters to entities' feature. - Changed filter_uri() to accept by reference and to not return anything as its only purpose now is to trigger a show_error() call. - Added changelog messages and updated the upgrade instructions.
Diffstat (limited to 'user_guide_src')
-rw-r--r--user_guide_src/source/changelog.rst2
-rw-r--r--user_guide_src/source/installation/upgrade_300.rst28
2 files changed, 24 insertions, 6 deletions
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 38fd75971..ff319b8d2 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -57,6 +57,7 @@ Release Date: Not Released
- Added support for changing the file extension of log files using ``$config['log_file_extension']``.
- Added support for turning newline standardization on/off via ``$config['standardize_newlines']`` and set it to FALSE by default.
- Added configuration setting ``$config['composer_autoload']`` to enable loading of a `Composer <https://getcomposer.org/>`_ auto-loader.
+ - Removed the automatic conversion of 'programmatic characters' to HTML entities from the :doc:`URI Library <libraries/uri>`.
- Helpers
@@ -445,6 +446,7 @@ Release Date: Not Released
- Added conditional PCRE UTF-8 support to the "invalid URI characters" check and removed the ``preg_quote()`` call from it to allow more flexibility.
- Renamed method ``_filter_uri()`` to ``filter_uri()``.
+ - Changed method ``filter_uri()`` to accept by reference and removed its return value.
- Changed private methods to protected so that MY_URI can override them.
- Renamed internal method ``_parse_cli_args()`` to ``_parse_argv()``.
- Renamed internal method ``_detect_uri()`` to ``_parse_request_uri()``.
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index ef85106b7..2e9ee4e72 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -223,8 +223,24 @@ Otherwise however, please review your usage of the following functions:
``$_COOKIE`` and ``$_SERVER`` superglobals are no longer
automatically overwritten when global XSS filtering is turned on.
+*************************************************
+Step 12: Check for potential XSS issues with URIs
+*************************************************
+
+The :doc:`URI Library <../libraries/uri>` used to automatically convert
+a certain set of "programmatic characters" to HTML entities when they
+are encountered in a URI segment.
+
+This was aimed at providing some automatic XSS prodection, in addition
+to the ``$config['permitted_uri_chars']`` setting, but has proven to be
+problematic and is now removed in CodeIgniter 3.0.
+
+If your application has relied on this feature, you should update it to
+filter URI segments through ``$this->security->xss_clean()`` whenever you
+output them.
+
********************************************************
-Step 12: Update usage of Input Class's get_post() method
+Step 13: Update usage of Input Class's get_post() method
********************************************************
Previously, the :doc:`Input Class <../libraries/input>` method ``get_post()``
@@ -235,14 +251,14 @@ A method has been added, ``post_get()``, which searches in POST then in GET, as
``get_post()`` was doing before.
***********************************************************************
-Step 13: Update usage of Directory Helper's directory_map() function
+Step 14: Update usage of Directory Helper's directory_map() function
***********************************************************************
In the resulting array, directories now end with a trailing directory
separator (i.e. a slash, usually).
*************************************************************
-Step 14: Update usage of Database Forge's drop_table() method
+Step 15: Update usage of Database Forge's drop_table() method
*************************************************************
Up until now, ``drop_table()`` added an IF EXISTS clause by default or it didn't work
@@ -264,7 +280,7 @@ If your application relies on IF EXISTS, you'll have to change its usage.
all drivers with the exception of ODBC.
***********************************************************
-Step 15: Change usage of Email library with multiple emails
+Step 16: Change usage of Email library with multiple emails
***********************************************************
The :doc:`Email Library <../libraries/email>` will automatically clear the
@@ -279,7 +295,7 @@ pass FALSE as the first parameter in the ``send()`` method:
}
***************************************************
-Step 16: Update your Form_validation language lines
+Step 17: Update your Form_validation language lines
***************************************************
Two improvements have been made to the :doc:`Form Validation Library
@@ -310,7 +326,7 @@ files and error messages format:
later.
****************************************************************
-Step 17: Remove usage of (previously) deprecated functionalities
+Step 18: Remove usage of (previously) deprecated functionalities
****************************************************************
In addition to the ``$autoload['core']`` configuration setting, there's a