summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
AgeCommit message (Collapse)AuthorFilesLines
2018-05-18http:// to https://Mehdi Bounya1-3/+3
2018-03-22Merge branch '3.1-stable' into developAndrey Andreev1-2/+10
Conflicts resolved: system/core/CodeIgniter.php system/core/Security.php system/database/DB_query_builder.php system/libraries/Email.php user_guide_src/source/changelog.rst user_guide_src/source/conf.py user_guide_src/source/installation/downloads.rst user_guide_src/source/installation/upgrading.rst
2018-03-15Merge pull request #5431 from CyberSecutor/developAndrey Andreev1-4/+6
Added parenthesis check around "document" elements and fixed non-existent document.window filter to window.document
2018-03-10[ci skip] Fix #5420Andrey Andreev1-2/+10
2018-03-05Fixed typoRemko Silvis1-1/+1
2018-03-05Added parenthesis check around "document" elements and fixed non-existent ↵Remko Silvis1-3/+5
document.window filter to window.document
2018-01-09[ci skip] Merge pull request #5376 from jim-parry/copyright-updateAndrey Andreev1-2/+2
Annual copyright update Conflicts resolved: system/libraries/Cache/drivers/Cache_apcu.php
2018-01-09Annual copyright updateMaster Yoda1-2/+2
2017-03-24Merge branch '3.1-stable' into developAndrey Andreev1-2/+2
Conflicts resolved: system/core/CodeIgniter.php system/core/Common.php system/core/Input.php system/helpers/cookie_helper.php tests/codeigniter/helpers/html_helper_test.php user_guide_src/source/changelog.rst user_guide_src/source/conf.py user_guide_src/source/installation/downloads.rst user_guide_src/source/installation/upgrading.rst user_guide_src/source/libraries/input.rst
2017-01-20Don't use each()Andrey Andreev1-2/+2
Will be deprecated in PHP 7.2
2017-01-17[ci skip] Merge pull request #4986 from ka7/feature/spellingAndrey Andreev1-1/+1
Spelling fixes in comment blocks and docs
2017-01-16spelling fixes(1)klemens1-1/+1
2017-01-16spelling fixesklemens1-1/+1
2017-01-10Merge branch '3.1-stable' into developAndrey Andreev1-7/+9
Conflicts resolved: system/core/CodeIgniter.php system/database/drivers/sqlite/sqlite_driver.php system/database/drivers/sqlite/sqlite_forge.php system/database/drivers/sqlite/sqlite_result.php system/database/drivers/sqlite/sqlite_utility.php system/helpers/email_helper.php system/helpers/smiley_helper.php system/libraries/Cart.php system/libraries/Email.php system/libraries/Image_lib.php system/libraries/Javascript.php system/libraries/Javascript/Jquery.php system/libraries/Session/SessionHandlerInterface.php user_guide_src/source/changelog.rst user_guide_src/source/installation/downloads.rst user_guide_src/source/installation/upgrading.rst
2017-01-04[ci skip] Protect CSRF verification from timing side-channel attacksAndrey Andreev1-6/+8
2017-01-04Fix an XSS vulnerabilityAndrey Andreev1-1/+1
2017-01-03Update copyright data to 2017Master Yoda1-2/+2
2016-12-31Update copyright data to 2017Master Yoda1-2/+2
2016-12-14Move csrf_verify() call out of CI_InputAndrey Andreev1-4/+5
2016-12-14Drop all PHP 5.3-related codeAndrey Andreev1-28/+4
2016-10-28[ci skip] xss_clean() hardeningAndrey Andreev1-10/+11
- percent-sign tag (IE) - data: URI scheme inclinding whitespace (Chrome)
2016-10-26Fix #4877Andrey Andreev1-5/+29
2016-09-27Fix entity_decode() issueAndrey Andreev1-17/+22
2016-08-29Merge pull request #4785 from guitarrist/developAndrey Andreev1-1/+1
[ci skip] Fix a comment typo
2016-07-28Remove dead code written for PHP 5.2Andrey Andreev1-6/+1
2016-03-07Fix #4475Andrey Andreev1-1/+8
2016-01-11[ci skip] Update ellislab.com links to https tooAndrey Andreev1-1/+1
2016-01-11[ci skip] Update codeigniter.com links to httpsAndrey Andreev1-2/+2
2016-01-11[ci skip] Bump year to 2016Andrey Andreev1-2/+2
2015-11-24Use PHP7's random_bytes() when possibleAndrey Andreev1-0/+16
Close #4260
2015-10-31Harden xss_clean()Andrey Andreev1-27/+39
2015-10-05Some more intrusive XSS cleaningAndrey Andreev1-5/+11
2015-10-02More XSS stuffAndrey Andreev1-1/+1
2015-09-21More XSS stuffAndrey Andreev1-3/+3
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev1-4/+9
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev1-92/+66
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev1-1/+4
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev1-4/+3
2015-09-11Harden xss_clean() moreAndrey Andreev1-5/+37
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev1-1/+1
2015-09-11Replace the latest XSS patchesAndrey Andreev1-9/+21
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev1-1/+1
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-2/+2
2015-09-10Fix #4106Andrey Andreev1-2/+2
2015-07-15Fix a TypoMohammad Sadegh Dehghan Niri1-1/+1
2015-03-26Minor fixes in CI_Security::entity_decode()Andrey Andreev1-4/+4
2015-03-26Add FSCommand and seekSegmentTime to evil HTML attributes listAndrey Andreev1-1/+1
2015-02-17Fix #3572: CI_Security::_remove_evil_attributes()Andrey Andreev1-21/+6