Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2021-03-24 | [ci skip] Add SameSite=Strict to CSRF cookie | Andrey Andreev | 1 | -9/+29 | |
2020-07-09 | [ci skip] Merge pull request #5970 from sapics/fix/user-guide-url | Andrey Andreev | 1 | -1/+1 | |
Fix user guide url | |||||
2019-08-02 | [ci skip] Fix a CSRF-related bug | Andrey Andreev | 1 | -0/+1 | |
2019-01-02 | Merge pull request #5662 from jim-parry/copyright2019 | Instructor, BCIT | 1 | -3/+3 | |
Update copyright date to 2019 | |||||
2018-03-15 | Merge pull request #5431 from CyberSecutor/develop | Andrey Andreev | 1 | -4/+6 | |
Added parenthesis check around "document" elements and fixed non-existent document.window filter to window.document | |||||
2018-03-10 | [ci skip] Fix #5420 | Andrey Andreev | 1 | -2/+10 | |
2018-01-09 | [ci skip] Merge pull request #5376 from jim-parry/copyright-update | Andrey Andreev | 1 | -2/+2 | |
Annual copyright update Conflicts resolved: system/libraries/Cache/drivers/Cache_apcu.php | |||||
2017-01-20 | Don't use each() | Andrey Andreev | 1 | -2/+2 | |
Will be deprecated in PHP 7.2 | |||||
2017-01-17 | [ci skip] Merge pull request #4986 from ka7/feature/spelling | Andrey Andreev | 1 | -1/+1 | |
Spelling fixes in comment blocks and docs | |||||
2017-01-04 | [ci skip] Protect CSRF verification from timing side-channel attacks | Andrey Andreev | 1 | -6/+8 | |
2017-01-04 | Fix an XSS vulnerability | Andrey Andreev | 1 | -1/+1 | |
2017-01-03 | Update copyright data to 2017 | Master Yoda | 1 | -2/+2 | |
2016-10-28 | [ci skip] xss_clean() hardening | Andrey Andreev | 1 | -10/+11 | |
- percent-sign tag (IE) - data: URI scheme inclinding whitespace (Chrome) | |||||
2016-10-26 | Fix #4877 | Andrey Andreev | 1 | -5/+29 | |
2016-09-27 | Fix entity_decode() issue | Andrey Andreev | 1 | -17/+22 | |
2016-08-29 | Merge pull request #4785 from guitarrist/develop | Andrey Andreev | 1 | -1/+1 | |
[ci skip] Fix a comment typo | |||||
2016-07-28 | Remove dead code written for PHP 5.2 | Andrey Andreev | 1 | -6/+1 | |
2016-03-07 | Fix #4475 | Andrey Andreev | 1 | -1/+8 | |
2016-01-11 | [ci skip] Update ellislab.com links to https too | Andrey Andreev | 1 | -1/+1 | |
2016-01-11 | [ci skip] Update codeigniter.com links to https | Andrey Andreev | 1 | -2/+2 | |
2016-01-11 | [ci skip] Bump year to 2016 | Andrey Andreev | 1 | -2/+2 | |
2015-11-24 | Use PHP7's random_bytes() when possible | Andrey Andreev | 1 | -0/+16 | |
Close #4260 | |||||
2015-10-31 | Harden xss_clean() | Andrey Andreev | 1 | -27/+39 | |
2015-10-05 | Some more intrusive XSS cleaning | Andrey Andreev | 1 | -5/+11 | |
2015-10-02 | More XSS stuff | Andrey Andreev | 1 | -1/+1 | |
2015-09-21 | More XSS stuff | Andrey Andreev | 1 | -3/+3 | |
2015-09-17 | Don't allow open-ended tags to pass through xss_clean() | Andrey Andreev | 1 | -4/+9 | |
This was a regression caused by the previous commit | |||||
2015-09-17 | Refactor 'evil attributes' sanitization logic | Andrey Andreev | 1 | -92/+66 | |
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes(). | |||||
2015-09-15 | Missing character in the evil attributes pattern | Andrey Andreev | 1 | -1/+1 | |
2015-09-14 | Another addition to tag detection patterns in xss_clean() | Andrey Andreev | 1 | -1/+4 | |
2015-09-14 | Add 'eval' to a JS blacklist in xss_clean() | Andrey Andreev | 1 | -7/+10 | |
2015-09-14 | Move _remove_evil_attributes() call | Andrey Andreev | 1 | -4/+3 | |
2015-09-11 | Harden xss_clean() more | Andrey Andreev | 1 | -5/+37 | |
This time eliminate false positives for the 'naughty html' logic. | |||||
2015-09-11 | Improve on previous commit | Andrey Andreev | 1 | -1/+1 | |
2015-09-11 | Replace the latest XSS patches | Andrey Andreev | 1 | -9/+21 | |
This one fixes yet another issue, is cleaner and faster. | |||||
2015-09-10 | Last commit didn't adjust a RE index | Andrey Andreev | 1 | -1/+1 | |
2015-09-10 | Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 | Andrey Andreev | 1 | -2/+2 | |
2015-09-10 | Fix #4106 | Andrey Andreev | 1 | -2/+2 | |
2015-07-15 | Fix a Typo | Mohammad Sadegh Dehghan Niri | 1 | -1/+1 | |
2015-03-26 | Minor fixes in CI_Security::entity_decode() | Andrey Andreev | 1 | -4/+4 | |
2015-03-26 | Add FSCommand and seekSegmentTime to evil HTML attributes list | Andrey Andreev | 1 | -1/+1 | |
2015-02-17 | Fix #3572: CI_Security::_remove_evil_attributes() | Andrey Andreev | 1 | -21/+6 | |
2015-02-09 | Fix #3579 | Andrey Andreev | 1 | -2/+2 | |
2015-01-29 | fix typo in comments | Claudio Galdiolo | 1 | -1/+1 | |
2015-01-21 | Remove closing blocks at end of PHP files | vlakoff | 1 | -3/+0 | |
2015-01-20 | [ci skip] Change some log messages' level | Andrey Andreev | 1 | -4/+3 | |
'Class Loaded' type of messages flood log files when log_threshold is set to 2 (debug). They're now logged as 'info' level. This is manually applying PR #1528, which was created to do the same thing, but became outdated. | |||||
2015-01-09 | Bulk (mostly documentation) update | Andrey Andreev | 1 | -3/+3 | |
- Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450 | |||||
2015-01-09 | Fix E_WARNING in CI_Security::entity_decode() on PHP<5.3.4 | Andrey Andreev | 1 | -1/+6 | |
Related: #3057 Previous commit: 487d1ae060e6414e0a59c9752a4914fa3b8c4710 | |||||
2014-12-16 | Remove trailing newline | Jason Taylor | 1 | -1/+1 | |
2014-12-16 | Fix Issue #3417 | warpcode | 1 | -2/+2 | |