summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
AgeCommit message (Collapse)AuthorFilesLines
2017-01-04[ci skip] Protect CSRF verification from timing side-channel attacksAndrey Andreev1-6/+8
2017-01-04Fix an XSS vulnerabilityAndrey Andreev1-1/+1
2017-01-03Update copyright data to 2017Master Yoda1-2/+2
2016-10-28[ci skip] xss_clean() hardeningAndrey Andreev1-10/+11
- percent-sign tag (IE) - data: URI scheme inclinding whitespace (Chrome)
2016-10-26Fix #4877Andrey Andreev1-5/+29
2016-09-27Fix entity_decode() issueAndrey Andreev1-17/+22
2016-08-29Merge pull request #4785 from guitarrist/developAndrey Andreev1-1/+1
[ci skip] Fix a comment typo
2016-07-28Remove dead code written for PHP 5.2Andrey Andreev1-6/+1
2016-03-07Fix #4475Andrey Andreev1-1/+8
2016-01-11[ci skip] Update ellislab.com links to https tooAndrey Andreev1-1/+1
2016-01-11[ci skip] Update codeigniter.com links to httpsAndrey Andreev1-2/+2
2016-01-11[ci skip] Bump year to 2016Andrey Andreev1-2/+2
2015-11-24Use PHP7's random_bytes() when possibleAndrey Andreev1-0/+16
Close #4260
2015-10-31Harden xss_clean()Andrey Andreev1-27/+39
2015-10-05Some more intrusive XSS cleaningAndrey Andreev1-5/+11
2015-10-02More XSS stuffAndrey Andreev1-1/+1
2015-09-21More XSS stuffAndrey Andreev1-3/+3
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev1-4/+9
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev1-92/+66
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev1-1/+4
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev1-4/+3
2015-09-11Harden xss_clean() moreAndrey Andreev1-5/+37
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev1-1/+1
2015-09-11Replace the latest XSS patchesAndrey Andreev1-9/+21
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev1-1/+1
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-2/+2
2015-09-10Fix #4106Andrey Andreev1-2/+2
2015-07-15Fix a TypoMohammad Sadegh Dehghan Niri1-1/+1
2015-03-26Minor fixes in CI_Security::entity_decode()Andrey Andreev1-4/+4
2015-03-26Add FSCommand and seekSegmentTime to evil HTML attributes listAndrey Andreev1-1/+1
2015-02-17Fix #3572: CI_Security::_remove_evil_attributes()Andrey Andreev1-21/+6
2015-02-09Fix #3579Andrey Andreev1-2/+2
2015-01-29fix typo in commentsClaudio Galdiolo1-1/+1
2015-01-21Remove closing blocks at end of PHP filesvlakoff1-3/+0
2015-01-20[ci skip] Change some log messages' levelAndrey Andreev1-4/+3
'Class Loaded' type of messages flood log files when log_threshold is set to 2 (debug). They're now logged as 'info' level. This is manually applying PR #1528, which was created to do the same thing, but became outdated.
2015-01-09Bulk (mostly documentation) updateAndrey Andreev1-3/+3
- Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450
2015-01-09Fix E_WARNING in CI_Security::entity_decode() on PHP<5.3.4Andrey Andreev1-1/+6
Related: #3057 Previous commit: 487d1ae060e6414e0a59c9752a4914fa3b8c4710
2014-12-16Remove trailing newlineJason Taylor1-1/+1
2014-12-16Fix Issue #3417warpcode1-2/+2
2014-12-08Fix 'Array to string conversion' notice in CSRF validationAndrey Andreev1-2/+2
Rel: #3398
2014-10-27[ci skip] Switch to MIT license; close #3293Andrey Andreev1-14/+25
2014-10-06Update a config_item() use case for the new NULL return valueAndrey Andreev1-1/+1
2014-10-05config_item() to return NULL instead of FALSE for non-existing itemsAndrey Andreev1-3/+3
Close #3001 Close #3232 Related: #3244
2014-10-02stream_set_chunk_size() requires PHP 5.4Andrey Andreev1-1/+2
2014-09-30Make sure we don't waste entropyAndrey Andreev1-0/+1
2014-09-28[ci skip] Remove references to 'PHP5' from commentsAndrey Andreev1-1/+1
2014-09-17Fix a defined() checkAndrey Andreev1-1/+1
Close #3233
2014-09-12Fix #3228Andrey Andreev1-2/+0