summaryrefslogtreecommitdiffstats
path: root/system/core/Security.php
AgeCommit message (Collapse)AuthorFilesLines
2015-10-31Harden xss_clean()Andrey Andreev1-27/+39
2015-10-05Some more intrusive XSS cleaningAndrey Andreev1-5/+11
2015-10-02More XSS stuffAndrey Andreev1-1/+1
2015-09-21More XSS stuffAndrey Andreev1-3/+3
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev1-4/+9
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev1-92/+66
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev1-1/+4
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev1-4/+3
2015-09-11Harden xss_clean() moreAndrey Andreev1-5/+37
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev1-1/+1
2015-09-11Replace the latest XSS patchesAndrey Andreev1-9/+21
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev1-1/+1
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-2/+2
2015-09-10Fix #4106Andrey Andreev1-2/+2
2015-07-15Fix a TypoMohammad Sadegh Dehghan Niri1-1/+1
2015-03-26Minor fixes in CI_Security::entity_decode()Andrey Andreev1-4/+4
2015-03-26Add FSCommand and seekSegmentTime to evil HTML attributes listAndrey Andreev1-1/+1
2015-02-17Fix #3572: CI_Security::_remove_evil_attributes()Andrey Andreev1-21/+6
2015-02-09Fix #3579Andrey Andreev1-2/+2
2015-01-29fix typo in commentsClaudio Galdiolo1-1/+1
2015-01-21Remove closing blocks at end of PHP filesvlakoff1-3/+0
2015-01-20[ci skip] Change some log messages' levelAndrey Andreev1-4/+3
'Class Loaded' type of messages flood log files when log_threshold is set to 2 (debug). They're now logged as 'info' level. This is manually applying PR #1528, which was created to do the same thing, but became outdated.
2015-01-09Bulk (mostly documentation) updateAndrey Andreev1-3/+3
- Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450
2015-01-09Fix E_WARNING in CI_Security::entity_decode() on PHP<5.3.4Andrey Andreev1-1/+6
Related: #3057 Previous commit: 487d1ae060e6414e0a59c9752a4914fa3b8c4710
2014-12-16Remove trailing newlineJason Taylor1-1/+1
2014-12-16Fix Issue #3417warpcode1-2/+2
2014-12-08Fix 'Array to string conversion' notice in CSRF validationAndrey Andreev1-2/+2
Rel: #3398
2014-10-27[ci skip] Switch to MIT license; close #3293Andrey Andreev1-14/+25
2014-10-06Update a config_item() use case for the new NULL return valueAndrey Andreev1-1/+1
2014-10-05config_item() to return NULL instead of FALSE for non-existing itemsAndrey Andreev1-3/+3
Close #3001 Close #3232 Related: #3244
2014-10-02stream_set_chunk_size() requires PHP 5.4Andrey Andreev1-1/+2
2014-09-30Make sure we don't waste entropyAndrey Andreev1-0/+1
2014-09-28[ci skip] Remove references to 'PHP5' from commentsAndrey Andreev1-1/+1
2014-09-17Fix a defined() checkAndrey Andreev1-1/+1
Close #3233
2014-09-12Fix #3228Andrey Andreev1-2/+0
2014-08-28Fix CI_Security::get_random_bytes() length validationAndrey Andreev1-1/+1
2014-08-27Add CI_Security::get_random_bytes() for CSRF & XSS token generationAndrey Andreev1-7/+54
2014-08-18[ci skip] Polish changes from PR #3176Andrey Andreev1-6/+6
2014-08-18Alter Pull #3176 to follow discussioncaseyh1-4/+4
2014-08-11CSRF whitelist supports regexCasey Hancock1-4/+7
Signed-off-by: Casey Hancock <crh431@gmail.com>
2014-08-05Fix #3123Andrey Andreev1-1/+1
2014-07-14Add changelog entry for CSRF status code; remove line at EOFKyle Valade1-1/+1
2014-07-06Return 403 instead of 500 if no CSRF token givenKyle Valade1-2/+2
Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
2014-06-29Fixed eofGraham Campbell1-1/+1
2014-06-29Fixed typoGraham Campbell1-2/+2
2014-05-23Fix #3057Andrey Andreev1-66/+62
2014-05-06xss_clean is not protecting GET requests that &item=/startwithslashDocumentopia.com1-1/+1
/webacd.do?isurlact=true&entactname=/webacd.do becomes /webacd.do?isurlact=true&entactname;=/webacd.do This commit adds / to the regex to it will escape those GET requests related to issue #3030
2014-03-18More xss_clean() improvementsAndrey Andreev1-2/+2
Issue described in https://github.com/EllisLab/CodeIgniter/issues/2667#issuecomment-37980030 + a false positive