15 files changed, 124 insertions, 65 deletions

diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 64120df8e..03cbeb673 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -8,20 +8,55 @@ Version 3.1.0
 Release Date: Not Released
 
 
-Version 3.0.2
+Version 3.0.3
 =============
 
 Release Date: Not Released
 
+-  Database
+
+   -  Optimized :doc:`Database Utility <database/utilities>` method ``csv_from_result()`` for speed with larger result sets.
+
+Bug fixes for 3.0.3
+-------------------
+
+Version 3.0.2
+=============
+
+Release Date: October 8, 2015
+
+-  **Security**
+
+   -  Fixed a number of XSS attack vectors in :doc:`Security Library <libraries/security>` method ``xss_clean()``  (thanks to Frans Rosén from `Detectify <https://detectify.com/>`_).
+
 -  General Changes
 
    -  Updated the *application/config/constants.php* file to check if constants aren't already defined before doing that.
+   -  Changed :doc:`Loader Library <libraries/loader>` method ``model()`` to only apply ``ucfirst()`` and not ``strtolower()`` to the requested class name.
+   -  Changed :doc:`Config Library <libraries/config>` methods ``base_url()``, ``site_url()`` to allow protocol-relative URLs by passing an empty string as the protocol.
 
 Bug fixes for 3.0.2
 -------------------
 
 -  Fixed a bug (#2284) - :doc:`Database <database/index>` method ``protect_identifiers()`` breaks when :doc:`Query Builder <database/query_builder>` isn't enabled.
 -  Fixed a bug (#4052) - :doc:`Routing <general/routing>` with anonymous functions didn't work for routes that don't use regular expressions.
+-  Fixed a bug (#4056) - :doc:`Input Library <libraries/input>` method ``get_request_header()`` could not return a value unless ``request_headers()`` was called beforehand.
+-  Fixed a bug where the :doc:`Database Class <database/index>` entered an endless loop if it fails to connect with the 'sqlsrv' driver.
+-  Fixed a bug (#4065) - :doc:`Database <database/index>` method ``protect_identifiers()`` treats a traling space as an alias separator if the input doesn't contain ' AS '.
+-  Fixed a bug (#4066) - :doc:`Cache Library <libraries/caching>` couldn't fallback to a backup driver if the primary one is Memcache(d) or Redis.
+-  Fixed a bug (#4073) - :doc:`Email Library <libraries/email>` method ``send()`` could return TRUE in case of an actual failure when an SMTP command fails.
+-  Fixed a bug (#4086) - :doc:`Query Builder <database/query_builder>` didn't apply *dbprefix* to LIKE conditions if the pattern included spaces.
+-  Fixed a bug (#4091) - :doc:`Cache Library <libraries/caching>` 'file' driver could be tricked into accepting empty cache item IDs.
+-  Fixed a bug (#4093) - :doc:`Query Builder <database/query_builder>` modified string values containing 'AND', 'OR' while compiling WHERE conditions.
+-  Fixed a bug (#4096) - :doc:`Query Builder <database/query_builder>` didn't apply *dbprefix* when compiling BETWEEN conditions.
+-  Fixed a bug (#4105) - :doc:`Form Validation Library <libraries/form_validation>` didn't allow pipe characters inside "bracket parameters" when using a string ruleset.
+-  Fixed a bug (#4109) - :doc:`Routing <general/routing>` to *default_controller* didn't work when *enable_query_strings* is set to TRUE.
+-  Fixed a bug (#4044) - :doc:`Cache Library <libraries/caching>` 'redis' driver didn't catch ``RedisException`` that could be thrown during authentication.
+-  Fixed a bug (#4120) - :doc:`Database <database/index>` method ``error()`` didn't return error info when called after ``query()`` with the 'mssql' driver.
+-  Fixed a bug (#4116) - :doc:`Pagination Library <libraries/pagination>` set the wrong page number on the "data-ci-pagination-page" attribute in generated links.
+-  Fixed a bug where :doc:`Pagination Library <libraries/pagination>` added the 'rel="start"' attribute to the first displayed link even if it's not actually linking the first page.
+-  Fixed a bug (#4137) - :doc:`Error Handling <general/errors>` breaks for the new ``Error`` exceptions under PHP 7.
+-  Fixed a bug (#4126) - :doc:`Form Validation Library <libraries/form_validation>` method ``reset_validation()`` discarded validation rules from config files.
 
 Version 3.0.1
 =============
diff --git a/user_guide_src/source/contributing/index.rst b/user_guide_src/source/contributing/index.rst
index 0112ca065..5966070d1 100644
--- a/user_guide_src/source/contributing/index.rst
+++ b/user_guide_src/source/contributing/index.rst
@@ -29,12 +29,24 @@ own copy. This will require you to use the version control system called Git.
 Support
 *******
 
-Note that GitHub is not for general support questions!
+Please note that GitHub is not for general support questions! If you are
+having trouble using a feature of CodeIgniter, ask for help on our
+`forums <http://forum.codeigniter.com/>`_ instead.
 
-If you are having trouble using a feature of CodeIgniter, ask for help on the forum.
+If you are not sure whether you are using something correctly or if you
+have found a bug, again - please ask on the forums first.
 
-If you are wondering if you are using
-something correctly or if you have found a bug, ask on the forum first.
+********
+Security
+********
+
+Did you find a security issue in CodeIgniter?
+
+Please *don't* disclose it publicly, but e-mail us at security@codeigniter.com,
+or report it via our page on `HackerOne <https://hackerone.com/codeigniter>`_.
+
+If you've found a critical vulnerability, we'd be happy to credit you in our
+`ChangeLog <../changelog>`.
 
 ****************************
 Tips for a Good Issue Report
diff --git a/user_guide_src/source/database/db_driver_reference.rst b/user_guide_src/source/database/db_driver_reference.rst
index 005e6b3dc..ea692515c 100644
--- a/user_guide_src/source/database/db_driver_reference.rst
+++ b/user_guide_src/source/database/db_driver_reference.rst
@@ -124,8 +124,8 @@ This article is intended to be a reference for them.
 		Enable/disable transaction "strict" mode.
 
 		When strict mode is enabled, if you are running multiple
-		groups of transactions and one group fails, all groups
-		will be rolled back.
+		groups of transactions and one group fails, all subsequent
+		groups will be rolled back.
 
 		If strict mode is disabled, each group is treated
 		autonomously, meaning a failure of one group will not
diff --git a/user_guide_src/source/database/examples.rst b/user_guide_src/source/database/examples.rst
index 8b3cc4701..5fd7fccfa 100644
--- a/user_guide_src/source/database/examples.rst
+++ b/user_guide_src/source/database/examples.rst
@@ -55,23 +55,6 @@ Standard Query With Multiple Results (Array Version)
 The above result_array() function returns an array of standard array
 indexes. Example: $row['title']
 
-Testing for Results
-===================
-
-If you run queries that might **not** produce a result, you are
-encouraged to test for a result first using the num_rows() function::
-
-	$query = $this->db->query("YOUR QUERY");
-	if ($query->num_rows() > 0)
-	{
-		foreach ($query->result() as $row)
-		{
-			echo $row->title;
-			echo $row->name;
-			echo $row->body;
-		}
-	}
-
 Standard Query With Single Result
 =================================
 
diff --git a/user_guide_src/source/general/controllers.rst b/user_guide_src/source/general/controllers.rst
index 7ab5a7f6a..5a111d8dc 100644
--- a/user_guide_src/source/general/controllers.rst
+++ b/user_guide_src/source/general/controllers.rst
@@ -140,9 +140,12 @@ file and set this variable::
 
 	$route['default_controller'] = 'blog';
 
-Where Blog is the name of the controller class you want used. If you now
+Where 'blog' is the name of the controller class you want used. If you now
 load your main index.php file without specifying any URI segments you'll
-see your Hello World message by default.
+see your "Hello World" message by default.
+
+For more information, please refer to the "Reserved Routes" section of the
+:doc:`URI Routing <routing>` documentation.
 
 Remapping Method Calls
 ======================
@@ -263,12 +266,12 @@ Trying to access it via the URL, like this, will not work::
 Organizing Your Controllers into Sub-directories
 ================================================
 
-If you are building a large application you might find it convenient to
-organize your controllers into sub-directories. CodeIgniter permits you
-to do this.
+If you are building a large application you might want to hierarchically
+organize or structure your controllers into sub-directories. CodeIgniter
+permits you to do this.
 
-Simply create folders within your *application/controllers/* directory
-and place your controller classes within them.
+Simply create sub-directories under the main *application/controllers/*
+one and place your controller classes within them.
 
 .. note:: When using this feature the first segment of your URI must
 	specify the folder. For example, let's say you have a controller located
@@ -281,8 +284,9 @@ and place your controller classes within them.
 		example.com/index.php/products/shoes/show/123
 
 Each of your sub-directories may contain a default controller which will be
-called if the URL contains only the sub-folder. Simply name your default
-controller as specified in your *application/config/routes.php* file.
+called if the URL contains *only* the sub-directory. Simply put a controller
+in there that matches the name of your 'default_controller' as specified in
+your *application/config/routes.php* file.
 
 CodeIgniter also permits you to remap your URIs using its :doc:`URI
 Routing <routing>` feature.
diff --git a/user_guide_src/source/general/routing.rst b/user_guide_src/source/general/routing.rst
index 766e0b2ab..b2c9873ab 100644
--- a/user_guide_src/source/general/routing.rst
+++ b/user_guide_src/source/general/routing.rst
@@ -170,11 +170,16 @@ There are three reserved routes::
 
 	$route['default_controller'] = 'welcome';
 
-This route indicates which controller class should be loaded if the URI
-contains no data, which will be the case when people load your root URL.
-In the above example, the "welcome" class would be loaded. You are
-encouraged to always have a default route otherwise a 404 page will
-appear by default.
+This route points to the action that should be executed if the URI contains
+no data, which will be the case when people load your root URL.
+The setting accepts a **controller/method** value and ``index()`` would be
+the default method if you don't specify one. In the above example, it is
+``Welcome::index()`` that would be called.
+
+.. note:: You can NOT use a directory as a part of this setting!
+
+You are encouraged to always have a default route as otherwise a 404 page
+will appear by default.
 
 ::
 
@@ -182,11 +187,13 @@ appear by default.
 
 This route indicates which controller class should be loaded if the
 requested controller is not found. It will override the default 404
-error page. It won't affect to the ``show_404()`` function, which will
+error page. Same per-directory rules as with 'default_controller'
+apply here as well.
+
+It won't affect to the ``show_404()`` function, which will
 continue loading the default *error_404.php* file at
 *application/views/errors/error_404.php*.
 
-
 ::
 
 	$route['translate_uri_dashes'] = FALSE;
diff --git a/user_guide_src/source/general/security.rst b/user_guide_src/source/general/security.rst
index d4120d162..8afdaca31 100644
--- a/user_guide_src/source/general/security.rst
+++ b/user_guide_src/source/general/security.rst
@@ -5,6 +5,9 @@ Security
 This page describes some "best practices" regarding web security, and
 details CodeIgniter's internal security features.
 
+.. note:: If you came here looking for a security contact, please refer to
+	our `Contribution Guide <../contributing/index>`.
+
 URI Security
 ============
 
diff --git a/user_guide_src/source/installation/downloads.rst b/user_guide_src/source/installation/downloads.rst
index 4fe36dd64..d3081719f 100644
--- a/user_guide_src/source/installation/downloads.rst
+++ b/user_guide_src/source/installation/downloads.rst
@@ -3,6 +3,8 @@ Downloading CodeIgniter
 #######################
 
 -  `CodeIgniter v3.1.0-dev (Current version) <https://codeload.github.com/bcit-ci/CodeIgniter/zip/develop>`_
+-  `CodeIgniter v3.0.3-dev <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.0-stable>`_
+-  `CodeIgniter v3.0.2 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.0.2>`_
 -  `CodeIgniter v3.0.1 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.0.1>`_
 -  `CodeIgniter v3.0.0 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/3.0.0>`_
 -  `CodeIgniter v2.2.3 <https://codeload.github.com/bcit-ci/CodeIgniter/zip/2.2.3>`_
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 971f9e484..4b3b408a7 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -266,8 +266,7 @@ cause your 'Main' controller to be loaded.
 However, what happens if you have an *application/controllers/admin/*
 directory and the user visits ``http://example.com/admin/``?
 In CodeIgniter 3, the router will look for a 'Main' controller under the
-admin/ directory as well. If not found, it will fallback to the parent
-(*application/controllers/*) directory, like in version 2.x.
+admin/ directory as well. If not found, a Not Found (404) will be triggered.
 
 The same rule applies to the '404_override' setting.
 
diff --git a/user_guide_src/source/installation/upgrade_303.rst b/user_guide_src/source/installation/upgrade_303.rst
new file mode 100644
index 000000000..a98eed0d4
--- /dev/null
+++ b/user_guide_src/source/installation/upgrade_303.rst
@@ -0,0 +1,14 @@
+#############################
+Upgrading from 3.0.2 to 3.0.3
+#############################
+
+Before performing an update you should take your site offline by
+replacing the index.php file with a static one.
+
+Step 1: Update your CodeIgniter files
+=====================================
+
+Replace all files and directories in your *system/* directory.
+
+.. note:: If you have any custom developed files in these directories,
+	please make copies of them first.
\ No newline at end of file
diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst
index 9dda16786..de2877165 100644
--- a/user_guide_src/source/installation/upgrading.rst
+++ b/user_guide_src/source/installation/upgrading.rst
@@ -9,6 +9,7 @@ upgrading from.
 	:titlesonly:
 
 	Upgrading from 3.0.x to 3.1.x <upgrade_310>
+	Upgrading from 3.0.2 to 3.0.3 <upgrade_303>
 	Upgrading from 3.0.1 to 3.0.2 <upgrade_302>
 	Upgrading from 3.0.0 to 3.0.1 <upgrade_301>
 	Upgrading from 2.2.x to 3.0.x <upgrade_300>
diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst
index 599be4df0..cac4b7921 100644
--- a/user_guide_src/source/libraries/encryption.rst
+++ b/user_guide_src/source/libraries/encryption.rst
@@ -75,7 +75,7 @@ process that allows you to be the only one who is able to decrypt data
 that you've decided to hide from the eyes of the public.
 After one key is used to encrypt data, that same key provides the **only**
 means to decrypt it, so not only must you chose one carefully, but you
-must not lose it or you will also use the encrypted data.
+must not lose it or you will also lose access to the data.
 
 It must be noted that to ensure maximum security, such key *should* not
 only be as strong as possible, but also often changed. Such behavior
diff --git a/user_guide_src/source/libraries/form_validation.rst b/user_guide_src/source/libraries/form_validation.rst
index 140bbc65d..c288cc8c0 100644
--- a/user_guide_src/source/libraries/form_validation.rst
+++ b/user_guide_src/source/libraries/form_validation.rst
@@ -547,7 +547,10 @@ All of the native error messages are located in the following language
 file: **system/language/english/form_validation_lang.php**
 
 To set your own global custom message for a rule, you can either 
-edit that file, or use the following method::
+extend/override the language file by creating your own in
+**application/language/english/form_validation_lang.php** (read more
+about this in the :doc:`Language Class <language>` documentation),
+or use the following method::
 
 	$this->form_validation->set_message('rule', 'Error Message');
 
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
index 305a8e57c..f7604ef00 100644
--- a/user_guide_src/source/libraries/security.rst
+++ b/user_guide_src/source/libraries/security.rst
@@ -16,20 +16,11 @@ application, processing input data for security.
 XSS Filtering
 *************
 
-CodeIgniter comes with a Cross Site Scripting Hack prevention filter
-which can either run automatically to filter all POST and COOKIE data
-that is encountered, or you can run it on a per item basis. By default
-it does **not** run globally since it requires a bit of processing
-overhead, and since you may not need it in all cases.
-
-The XSS filter looks for commonly used techniques to trigger Javascript
-or other types of code that attempt to hijack cookies or do other
-malicious things. If anything disallowed is encountered it is rendered
-safe by converting the data to character entities.
-
-Note: This function should only be used to deal with data upon
-submission. It's not something that should be used for general runtime
-processing since it requires a fair amount of processing overhead.
+CodeIgniter comes with a Cross Site Scripting prevention filter, which
+looks for commonly used techniques to trigger JavaScript or other types
+of code that attempt to hijack cookies or do other malicious things.
+If anything disallowed is encountered it is rendered safe by converting
+the data to character entities.
 
 To filter data through the XSS filter use the ``xss_clean()`` method::
 
diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst
index 2034ed2b0..9c9761bbf 100644
--- a/user_guide_src/source/libraries/sessions.rst
+++ b/user_guide_src/source/libraries/sessions.rst
@@ -598,7 +598,6 @@ For MySQL::
 		`ip_address` varchar(45) NOT NULL,
 		`timestamp` int(10) unsigned DEFAULT 0 NOT NULL,
 		`data` blob NOT NULL,
-		PRIMARY KEY (id),
 		KEY `ci_sessions_timestamp` (`timestamp`)
 	);
 
@@ -608,17 +607,23 @@ For PostgreSQL::
 		"id" varchar(40) NOT NULL,
 		"ip_address" varchar(45) NOT NULL,
 		"timestamp" bigint DEFAULT 0 NOT NULL,
-		"data" text DEFAULT '' NOT NULL,
-		PRIMARY KEY ("id")
+		"data" text DEFAULT '' NOT NULL
 	);
 
 	CREATE INDEX "ci_sessions_timestamp" ON "ci_sessions" ("timestamp");
 
-However, if you want to turn on the *sess_match_ip* setting, you should
-also do the following, after creating the table::
+You will also need to add a PRIMARY KEY **depending on your 'sess_match_ip'
+setting**. The examples below work both on MySQL and PostgreSQL::
+
+	// When sess_match_ip = TRUE
+	ALTER TABLE ci_sessions ADD PRIMARY KEY (id, ip_address);
+
+	// When sess_match_ip = FALSE
+	ALTER TABLE ci_sessions ADD PRIMARY KEY (id);
+
+	// To drop a previously created primary key (use when changing the setting)
+	ALTER TABLE ci_sessions DROP PRIMARY KEY;
 
-	// Works both on MySQL and PostgreSQL
-	ALTER TABLE ci_sessions ADD CONSTRAINT ci_sessions_id_ip UNIQUE (id, ip_address);
 
 .. important:: Only MySQL and PostgreSQL databases are officially
 	supported, due to lack of advisory locking mechanisms on other