Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2017-01-04 | [ci skip] Protect CSRF verification from timing side-channel attacks | Andrey Andreev | 1 | -6/+8 | |
2017-01-04 | Fix an XSS vulnerability | Andrey Andreev | 1 | -1/+1 | |
2017-01-03 | Update copyright data to 2017 | Master Yoda | 1 | -2/+2 | |
2016-10-28 | [ci skip] xss_clean() hardening | Andrey Andreev | 1 | -10/+11 | |
- percent-sign tag (IE) - data: URI scheme inclinding whitespace (Chrome) | |||||
2016-10-26 | Fix #4877 | Andrey Andreev | 1 | -5/+29 | |
2016-09-27 | Fix entity_decode() issue | Andrey Andreev | 1 | -17/+22 | |
2016-08-29 | Merge pull request #4785 from guitarrist/develop | Andrey Andreev | 1 | -1/+1 | |
[ci skip] Fix a comment typo | |||||
2016-07-28 | Remove dead code written for PHP 5.2 | Andrey Andreev | 1 | -6/+1 | |
2016-03-07 | Fix #4475 | Andrey Andreev | 1 | -1/+8 | |
2016-01-11 | [ci skip] Update ellislab.com links to https too | Andrey Andreev | 1 | -1/+1 | |
2016-01-11 | [ci skip] Update codeigniter.com links to https | Andrey Andreev | 1 | -2/+2 | |
2016-01-11 | [ci skip] Bump year to 2016 | Andrey Andreev | 1 | -2/+2 | |
2015-11-24 | Use PHP7's random_bytes() when possible | Andrey Andreev | 1 | -0/+16 | |
Close #4260 | |||||
2015-10-31 | Harden xss_clean() | Andrey Andreev | 1 | -27/+39 | |
2015-10-05 | Some more intrusive XSS cleaning | Andrey Andreev | 1 | -5/+11 | |
2015-10-02 | More XSS stuff | Andrey Andreev | 1 | -1/+1 | |
2015-09-21 | More XSS stuff | Andrey Andreev | 1 | -3/+3 | |
2015-09-17 | Don't allow open-ended tags to pass through xss_clean() | Andrey Andreev | 1 | -4/+9 | |
This was a regression caused by the previous commit | |||||
2015-09-17 | Refactor 'evil attributes' sanitization logic | Andrey Andreev | 1 | -92/+66 | |
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes(). | |||||
2015-09-15 | Missing character in the evil attributes pattern | Andrey Andreev | 1 | -1/+1 | |
2015-09-14 | Another addition to tag detection patterns in xss_clean() | Andrey Andreev | 1 | -1/+4 | |
2015-09-14 | Add 'eval' to a JS blacklist in xss_clean() | Andrey Andreev | 1 | -7/+10 | |
2015-09-14 | Move _remove_evil_attributes() call | Andrey Andreev | 1 | -4/+3 | |
2015-09-11 | Harden xss_clean() more | Andrey Andreev | 1 | -5/+37 | |
This time eliminate false positives for the 'naughty html' logic. | |||||
2015-09-11 | Improve on previous commit | Andrey Andreev | 1 | -1/+1 | |
2015-09-11 | Replace the latest XSS patches | Andrey Andreev | 1 | -9/+21 | |
This one fixes yet another issue, is cleaner and faster. | |||||
2015-09-10 | Last commit didn't adjust a RE index | Andrey Andreev | 1 | -1/+1 | |
2015-09-10 | Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 | Andrey Andreev | 1 | -2/+2 | |
2015-09-10 | Fix #4106 | Andrey Andreev | 1 | -2/+2 | |
2015-07-15 | Fix a Typo | Mohammad Sadegh Dehghan Niri | 1 | -1/+1 | |
2015-03-26 | Minor fixes in CI_Security::entity_decode() | Andrey Andreev | 1 | -4/+4 | |
2015-03-26 | Add FSCommand and seekSegmentTime to evil HTML attributes list | Andrey Andreev | 1 | -1/+1 | |
2015-02-17 | Fix #3572: CI_Security::_remove_evil_attributes() | Andrey Andreev | 1 | -21/+6 | |
2015-02-09 | Fix #3579 | Andrey Andreev | 1 | -2/+2 | |
2015-01-29 | fix typo in comments | Claudio Galdiolo | 1 | -1/+1 | |
2015-01-21 | Remove closing blocks at end of PHP files | vlakoff | 1 | -3/+0 | |
2015-01-20 | [ci skip] Change some log messages' level | Andrey Andreev | 1 | -4/+3 | |
'Class Loaded' type of messages flood log files when log_threshold is set to 2 (debug). They're now logged as 'info' level. This is manually applying PR #1528, which was created to do the same thing, but became outdated. | |||||
2015-01-09 | Bulk (mostly documentation) update | Andrey Andreev | 1 | -3/+3 | |
- Remove PHP version from license notices - Bump year number in copyright notices - Recommend PHP 5.4 or newer to be used - Tell Travis-CI to test on PHP 5.3.0 instead of the latest 5.3 version Related: #3450 | |||||
2015-01-09 | Fix E_WARNING in CI_Security::entity_decode() on PHP<5.3.4 | Andrey Andreev | 1 | -1/+6 | |
Related: #3057 Previous commit: 487d1ae060e6414e0a59c9752a4914fa3b8c4710 | |||||
2014-12-16 | Remove trailing newline | Jason Taylor | 1 | -1/+1 | |
2014-12-16 | Fix Issue #3417 | warpcode | 1 | -2/+2 | |
2014-12-08 | Fix 'Array to string conversion' notice in CSRF validation | Andrey Andreev | 1 | -2/+2 | |
Rel: #3398 | |||||
2014-10-27 | [ci skip] Switch to MIT license; close #3293 | Andrey Andreev | 1 | -14/+25 | |
2014-10-06 | Update a config_item() use case for the new NULL return value | Andrey Andreev | 1 | -1/+1 | |
2014-10-05 | config_item() to return NULL instead of FALSE for non-existing items | Andrey Andreev | 1 | -3/+3 | |
Close #3001 Close #3232 Related: #3244 | |||||
2014-10-02 | stream_set_chunk_size() requires PHP 5.4 | Andrey Andreev | 1 | -1/+2 | |
2014-09-30 | Make sure we don't waste entropy | Andrey Andreev | 1 | -0/+1 | |
2014-09-28 | [ci skip] Remove references to 'PHP5' from comments | Andrey Andreev | 1 | -1/+1 | |
2014-09-17 | Fix a defined() check | Andrey Andreev | 1 | -1/+1 | |
Close #3233 | |||||
2014-09-12 | Fix #3228 | Andrey Andreev | 1 | -2/+0 | |