summaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2015-09-21More XSS stuffAndrey Andreev2-3/+19
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev2-4/+10
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev2-115/+100
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-16[ci skip] Add missing changelog entryAndrey Andreev1-0/+1
2015-09-16Fix #4116Andrey Andreev2-6/+7
Close #4117
2015-09-16Fix typokenjis1-1/+1
Signed-off-by: Kenji Suzuki <kenji.uui@gmail.com>
2015-09-16Fix #4120Andrey Andreev2-3/+14
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev2-1/+9
2015-09-14Close #4098Andrey Andreev2-2/+19
2015-09-14Fix #4032Andrey Andreev2-7/+10
2015-09-14Fix #4044Andrey Andreev2-5/+6
2015-09-14Fix #4109Andrey Andreev2-20/+23
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev2-4/+17
2015-09-11Harden xss_clean() moreAndrey Andreev2-7/+44
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev2-1/+6
2015-09-11Replace the latest XSS patchesAndrey Andreev2-10/+27
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev2-1/+6
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev2-6/+6
2015-09-10Fix a broken unit test from 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-1/+1
2015-09-10[ci skip] Add changelog entry for #4105Andrey Andreev1-0/+1
2015-09-10Change form validation library to allow the pipe character within square ↵rich1-1/+1
brackets
2015-09-10Fix #4106Andrey Andreev2-2/+10
2015-09-07Remove unnecessary count() calls from _sanitize_globals()Andrey Andreev1-3/+3
foreach() just won't execute for an empty array, it does that check internally.
2015-09-07Move csrf_verify() call out of _sanitize_globals()Andrey Andreev1-6/+6
It doesn't belong in there.
2015-09-03Fix #4096Andrey Andreev2-1/+2
2015-09-02[ci skip] Improve FV language string instructionsAndrey Andreev1-1/+4
As suggested in #4095
2015-09-01Enable Travis builds for 3.0-stable branchAndrey Andreev1-0/+1
2015-09-01Fix #4093Andrey Andreev3-1/+10
2015-09-01[ci skip] Correct session database setup docsAndrey Andreev2-7/+15
2015-09-01[ci skip] Reduce/improve wording of xss_clean() descriptionAndrey Andreev1-10/+5
2015-09-01[ci skip] Remove a bad advice from the Security lib docsAndrey Andreev1-4/+0
2015-09-01Merge pull request #4092 from mpmont/3.0-stableAndrey Andreev1-1/+1
Remove an accidental = sign
2015-09-01There was an extra = sign in this fileMarco Monteiro1-1/+1
2015-08-31[ci skip] Fix #4091Andrey Andreev2-1/+2
2015-08-31Fix #4086Andrey Andreev2-13/+14
2015-08-31[ci skip] Fix incorrect routing descriptionAndrey Andreev1-2/+1
Close #4079
2015-08-31Fix #4073Andrey Andreev2-7/+17
2015-08-31Fix #4066Andrey Andreev3-18/+7
2015-08-20Fix #4065Andrey Andreev2-1/+2
2015-08-19[ci skip] Fix 'sqlsrv' connect failure endless loopAndrey Andreev2-7/+9
Reported via the forums: http://forum.codeigniter.com/thread-61494.html
2015-08-17Allow capitals in the middle of model namesAndrey Andreev2-1/+2
Requested in #4059
2015-08-15Fix #4056Andrey Andreev2-1/+2
2015-08-15[ci skip] Fix a doc typoAndrey Andreev1-1/+1
2015-08-14[ci skip] Encryption doc fixAndrey Andreev1-1/+1
Close #4051
2015-08-14Fix #4052Andrey Andreev2-20/+1
The bug actually had two instances: - Callback routes with literal matches and HTTP verbs has never worked - The reported issue in #4052, which is a regression introduced in 3.0.1 with abc299b3a234eb7da1b7e3d257b7eba2da649219 Removed the literal matches logic altogether to avoid similar issues in the future and reduce code complexity. The same logic is performed with the regular expressions logic.
2015-08-13Fix typo in commentsClaudio Galdiolo1-1/+1
2015-08-13Update config/constants.php with defined() checksAndrey Andreev3-34/+48
Allows for easier override with an environment-based configs. Close #4045
2015-08-10Fix path for CLI error templates in upgrade docMat Whitney1-1/+1