summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
AgeCommit message (Collapse)AuthorFilesLines
2014-10-27[ci skip] Switch to MIT license; close #3293Andrey Andreev1-14/+25
2014-10-06Update a config_item() use case for the new NULL return valueAndrey Andreev1-1/+1
2014-10-05config_item() to return NULL instead of FALSE for non-existing itemsAndrey Andreev1-3/+3
Close #3001 Close #3232 Related: #3244
2014-10-02stream_set_chunk_size() requires PHP 5.4Andrey Andreev1-1/+2
2014-09-30Make sure we don't waste entropyAndrey Andreev1-0/+1
2014-09-28[ci skip] Remove references to 'PHP5' from commentsAndrey Andreev1-1/+1
2014-09-17Fix a defined() checkAndrey Andreev1-1/+1
Close #3233
2014-09-12Fix #3228Andrey Andreev1-2/+0
2014-08-28Fix CI_Security::get_random_bytes() length validationAndrey Andreev1-1/+1
2014-08-27Add CI_Security::get_random_bytes() for CSRF & XSS token generationAndrey Andreev1-7/+54
2014-08-18[ci skip] Polish changes from PR #3176Andrey Andreev1-6/+6
2014-08-18Alter Pull #3176 to follow discussioncaseyh1-4/+4
2014-08-11CSRF whitelist supports regexCasey Hancock1-4/+7
Signed-off-by: Casey Hancock <crh431@gmail.com>
2014-08-05Fix #3123Andrey Andreev1-1/+1
2014-07-14Add changelog entry for CSRF status code; remove line at EOFKyle Valade1-1/+1
2014-07-06Return 403 instead of 500 if no CSRF token givenKyle Valade1-2/+2
Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
2014-06-29Fixed eofGraham Campbell1-1/+1
2014-06-29Fixed typoGraham Campbell1-2/+2
2014-05-23Fix #3057Andrey Andreev1-66/+62
2014-05-06xss_clean is not protecting GET requests that &item=/startwithslashDocumentopia.com1-1/+1
/webacd.do?isurlact=true&entactname=/webacd.do becomes /webacd.do?isurlact=true&entactname;=/webacd.do This commit adds / to the regex to it will escape those GET requests related to issue #3030
2014-03-18More xss_clean() improvementsAndrey Andreev1-2/+2
Issue described in https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37980030 + a false positive
2014-03-18Another xss_clean() improvementAndrey Andreev1-2/+2
Fixes this: https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37958136
2014-03-18xss_clean() improvementAndrey Andreev1-4/+4
Fixes this: https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37819186
2014-02-112013 > 2014darwinel1-1/+1
Update copyright notices from 2013 to 2014. And update one calendar example in user_guide from year 2013/2014 to 2014/2015.
2014-02-10CI_Security: URL-decode until possibleAndrey Andreev1-1/+5
2014-02-10[ci skip] Fix a typoAndrey Andreev1-1/+1
2014-02-10CI_Security: Expect a backslash as a tag separatorAndrey Andreev1-2/+2
2014-02-10CI_Security: Filter jscript, wscript, vbs, confirm, prompt the same way as ↵Andrey Andreev1-6/+10
javascript, alert
2014-01-25Add <math> to 'naughty' HTML elementsAndrey Andreev1-1/+1
2014-01-25Previous commit caused side effects ...Andrey Andreev1-2/+2
2014-01-25Fix CI_Security::_remove_evil_attributes() being way too aggressiveAndrey Andreev1-2/+2
2014-01-25Re-add 'on\w*' to evil attributes (rel #2667)Andrey Andreev1-2/+1
2014-01-25Partially fix #2667Andrey Andreev1-2/+8
2014-01-24CI_Security: Also add <svg> to 'naughty' HTML elementsAndrey Andreev1-1/+1
2014-01-24CI_Security: Add <select> and <keygen> tags to the list of 'naughty' HTML ↵Andrey Andreev1-1/+1
elements
2014-01-24Fix syntax errorsAndrey Andreev1-2/+2
2014-01-24CI_Security: Add 'form' and 'xlink:href' to evil attributesAndrey Andreev1-1/+1
2014-01-24Add &newline; and &tab; to CI_Security::Andrey Andreev1-1/+3
2014-01-22CI_Security::_decode_entity() to replace dangerous HTML5 entitiesAndrey Andreev1-1/+19
Related to issue #2771
2014-01-21Add <button> to the list of 'naugthy' html elements in CI_Security::xss_clean()Andrey Andreev1-2/+2
2014-01-20Fix #2729Andrey Andreev1-2/+3
2014-01-18Fix #2829Andrey Andreev1-4/+4
2014-01-07Fix #2268 (manually implementing PR #2269)Andrey Andreev1-3/+3
2013-10-18Eh ... preg_replace() needs a replacementAndrey Andreev1-2/+2
2013-10-18Fix issue #2681 (alternative to PR #2690)Andrey Andreev1-2/+2
2013-10-17Replace the last rand() with mt_rand()vlakoff1-2/+2
Better entropy, faster. Also fixed a few "it's" typos.
2013-10-03partial fix #2667David Cox Jr1-1/+1
this fixes the ability to replace a space with a / and skip the XSS filtering
2013-08-04Rename bad chars property to filename_bad_chars, remove the setter and add ↵Hunter Wu1-15/+2
changelog entry
2013-08-03Make the bad filename array public in Security libraryHunter Wu1-18/+38
2013-08-03Revert "Add windows filename rule as an option for upload files"Hunter Wu1-32/+19
This reverts commit 23719ab569c9c8d6b791f65d7861daba3895ddcb.