summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2015-10-02Merge pull request #4148 from zhanghongyi/generate-pulldownAndrey Andreev5-76/+121
[ci skip] Generate docs pulldown menu using sphinx toctree
2015-10-02More XSS stuffAndrey Andreev2-2/+7
2015-09-29[ci skip] Add changelog message for PR #4126Andrey Andreev1-0/+1
2015-09-29Merge pull request #4126 from zoaked/patch-1Andrey Andreev2-2/+1
Persist config file rules when using FV reset_validation()
2015-09-28[ci skip] Explain per-directory logic for 404_override tooAndrey Andreev1-2/+4
2015-09-28cal_cel_otherДмитрий1-2/+2
forget to close a tag cal_cel_other
2015-09-28[ci skip] Clarify docs about default_controllerAndrey Andreev2-14/+23
2015-09-28Merge pull request #4125 from jim-parry/fix/lang_testAndrey Andreev1-5/+17
Improve CI_Lang tests
2015-09-24Fix #4137Andrey Andreev2-1/+2
2015-09-23[ci skip] Cherry-pick docs pulldown nav fix from developMaster Yoda1-85/+117
2015-09-22[ci skip] Remove an example from DB docsAndrey Andreev1-17/+0
Users shouldn't be encouraged to use num_rows() that way ... We had already decided on this awhile ago, this example just slipped through.
2015-09-21More XSS stuffAndrey Andreev2-3/+19
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev2-4/+10
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev2-115/+100
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-16[ci skip] Add missing changelog entryAndrey Andreev1-0/+1
2015-09-16Fix #4116Andrey Andreev2-6/+7
Close #4117
2015-09-16Fix typokenjis1-1/+1
Signed-off-by: Kenji Suzuki <kenji.uui@gmail.com>
2015-09-16Fix #4120Andrey Andreev2-3/+14
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev2-1/+9
2015-09-14Close #4098Andrey Andreev2-2/+19
2015-09-14Fix #4032Andrey Andreev2-7/+10
2015-09-14Fix #4044Andrey Andreev2-5/+6
2015-09-14Fix #4109Andrey Andreev2-20/+23
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev2-4/+17
2015-09-11Harden xss_clean() moreAndrey Andreev2-7/+44
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev2-1/+6
2015-09-11Replace the latest XSS patchesAndrey Andreev2-10/+27
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev2-1/+6
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev2-6/+6
2015-09-10Fix a broken unit test from 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-1/+1
2015-09-10[ci skip] Add changelog entry for #4105Andrey Andreev1-0/+1
2015-09-10Change form validation library to allow the pipe character within square ↵rich1-1/+1
brackets
2015-09-10Fix #4106Andrey Andreev2-2/+10
2015-09-07Remove unnecessary count() calls from _sanitize_globals()Andrey Andreev1-3/+3
foreach() just won't execute for an empty array, it does that check internally.
2015-09-07Move csrf_verify() call out of _sanitize_globals()Andrey Andreev1-6/+6
It doesn't belong in there.
2015-09-03Fix #4096Andrey Andreev2-1/+2
2015-09-02[ci skip] Improve FV language string instructionsAndrey Andreev1-1/+4
As suggested in #4095
2015-09-01Enable Travis builds for 3.0-stable branchAndrey Andreev1-0/+1
2015-09-01Fix #4093Andrey Andreev3-1/+10
2015-09-01[ci skip] Correct session database setup docsAndrey Andreev2-7/+15
2015-09-01[ci skip] Reduce/improve wording of xss_clean() descriptionAndrey Andreev1-10/+5
2015-09-01[ci skip] Remove a bad advice from the Security lib docsAndrey Andreev1-4/+0
2015-09-01Merge pull request #4092 from mpmont/3.0-stableAndrey Andreev1-1/+1
Remove an accidental = sign
2015-09-01There was an extra = sign in this fileMarco Monteiro1-1/+1
2015-08-31[ci skip] Fix #4091Andrey Andreev2-1/+2
2015-08-31Fix #4086Andrey Andreev2-13/+14
2015-08-31[ci skip] Fix incorrect routing descriptionAndrey Andreev1-2/+1
Close #4079
2015-08-31Fix #4073Andrey Andreev2-7/+17