Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2016-03-07 | Fix #4475 | Andrey Andreev | 1 | -1/+8 | |
2016-01-11 | [ci skip] Update ellislab.com links to https too | Andrey Andreev | 1 | -1/+1 | |
2016-01-11 | [ci skip] Update codeigniter.com links to https | Andrey Andreev | 1 | -2/+2 | |
2016-01-11 | [ci skip] Bump year to 2016 | Andrey Andreev | 1 | -2/+2 | |
2015-11-24 | Use PHP7's random_bytes() when possible | Andrey Andreev | 1 | -0/+16 | |
Close #4260 | |||||
2015-10-31 | Harden xss_clean() | Andrey Andreev | 1 | -27/+39 | |
2015-10-05 | Some more intrusive XSS cleaning | Andrey Andreev | 1 | -5/+11 | |
2015-10-02 | More XSS stuff | Andrey Andreev | 1 | -1/+1 | |
2015-09-21 | More XSS stuff | Andrey Andreev | 1 | -3/+3 | |
2015-09-17 | Don't allow open-ended tags to pass through xss_clean() | Andrey Andreev | 1 | -4/+9 | |
This was a regression caused by the previous commit | |||||
2015-09-17 | Refactor 'evil attributes' sanitization logic | Andrey Andreev | 1 | -92/+66 | |
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes(). | |||||
2015-09-15 | Missing character in the evil attributes pattern | Andrey Andreev | 1 | -1/+1 | |
2015-09-14 | Another addition to tag detection patterns in xss_clean() | Andrey Andreev | 1 | -1/+4 | |
2015-09-14 | Add 'eval' to a JS blacklist in xss_clean() | Andrey Andreev | 1 | -7/+10 | |
2015-09-14 | Move _remove_evil_attributes() call | Andrey Andreev | 1 | -4/+3 | |
2015-09-11 | Harden xss_clean() more | Andrey Andreev | 1 | -5/+37 | |
This time eliminate false positives for the 'naughty html' logic. | |||||
2015-09-11 | Improve on previous commit | Andrey Andreev | 1 | -1/+1 | |
2015-09-11 | Replace the latest XSS patches | Andrey Andreev | 1 | -9/+21 | |
This one fixes yet another issue, is cleaner and faster. | |||||
2015-09-10 | Last commit didn't adjust a RE index | Andrey Andreev | 1 | -1/+1 | |
2015-09-10 | Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 | Andrey Andreev | 1 | -2/+2 | |
2015-09-10 | Fix #4106 | Andrey Andreev | 1 | -2/+2 | |
2015-07-15 | Fix a Typo | Mohammad Sadegh Dehghan Niri | 1 | -1/+1 | |
2015-03-26 | Minor fixes in CI_Security::entity_decode() | Andrey Andreev | 1 | -4/+4 | |
2015-03-26 | Add FSCommand and seekSegmentTime to evil HTML attributes list | Andrey Andreev | 1 | -1/+1 | |
2015-02-17 | Fix #3572: CI_Security::_remove_evil_attributes() | Andrey Andreev | 1 | -21/+6 | |
2015-02-09 | Fix #3579 | Andrey Andreev | 1 | -2/+2 | |
2015-01-29 | fix typo in comments | Claudio Galdiolo | 1 | -1/+1 | |
2015-01-21 | Remove closing blocks at end of PHP files | vlakoff | 1 | -3/+0 | |
2015-01-20 | [ci skip] Change some log messages' level | Andrey Andreev | 1 | -4/+3 | |
'Class Loaded' type of messages flood log files when log_threshold is set to 2 (debug). They're now logged as 'info' level. This is manually applying PR #1528, which was created to do the same thing, but became outdated. | |||||
2015-01-09 | Bulk (mostly documentation) update | Andrey Andreev | 1 | -3/+3 | |
- Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450 | |||||
2015-01-09 | Fix E_WARNING in CI_Security::entity_decode() on PHP<5.3.4 | Andrey Andreev | 1 | -1/+6 | |
Related: #3057 Previous commit: 487d1ae060e6414e0a59c9752a4914fa3b8c4710 | |||||
2014-12-16 | Remove trailing newline | Jason Taylor | 1 | -1/+1 | |
2014-12-16 | Fix Issue #3417 | warpcode | 1 | -2/+2 | |
2014-12-08 | Fix 'Array to string conversion' notice in CSRF validation | Andrey Andreev | 1 | -2/+2 | |
Rel: #3398 | |||||
2014-10-27 | [ci skip] Switch to MIT license; close #3293 | Andrey Andreev | 1 | -14/+25 | |
2014-10-06 | Update a config_item() use case for the new NULL return value | Andrey Andreev | 1 | -1/+1 | |
2014-10-05 | config_item() to return NULL instead of FALSE for non-existing items | Andrey Andreev | 1 | -3/+3 | |
Close #3001 Close #3232 Related: #3244 | |||||
2014-10-02 | stream_set_chunk_size() requires PHP 5.4 | Andrey Andreev | 1 | -1/+2 | |
2014-09-30 | Make sure we don't waste entropy | Andrey Andreev | 1 | -0/+1 | |
2014-09-28 | [ci skip] Remove references to 'PHP5' from comments | Andrey Andreev | 1 | -1/+1 | |
2014-09-17 | Fix a defined() check | Andrey Andreev | 1 | -1/+1 | |
Close #3233 | |||||
2014-09-12 | Fix #3228 | Andrey Andreev | 1 | -2/+0 | |
2014-08-28 | Fix CI_Security::get_random_bytes() length validation | Andrey Andreev | 1 | -1/+1 | |
2014-08-27 | Add CI_Security::get_random_bytes() for CSRF & XSS token generation | Andrey Andreev | 1 | -7/+54 | |
2014-08-18 | [ci skip] Polish changes from PR #3176 | Andrey Andreev | 1 | -6/+6 | |
2014-08-18 | Alter Pull #3176 to follow discussion | caseyh | 1 | -4/+4 | |
2014-08-11 | CSRF whitelist supports regex | Casey Hancock | 1 | -4/+7 | |
Signed-off-by: Casey Hancock <crh431@gmail.com> | |||||
2014-08-05 | Fix #3123 | Andrey Andreev | 1 | -1/+1 | |
2014-07-14 | Add changelog entry for CSRF status code; remove line at EOF | Kyle Valade | 1 | -1/+1 | |
2014-07-06 | Return 403 instead of 500 if no CSRF token given | Kyle Valade | 1 | -2/+2 | |
Not supplying a CSRF token shouldn't return a 500 response because it isn't a server error. The response status code should definitely be in the 400's, because it's the client's fault. And it should be a 403 because the client is forbidden from making that request without the appropriate credential (the CSRF token), though the request may be otherwise valid. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes |