summaryrefslogtreecommitdiffstats
path: root/system/core
AgeCommit message (Collapse)AuthorFilesLines
2014-02-13Introducing compatibility layersAndrey Andreev3-0/+366
- Limited support for mbstring (mb_strlen(), mb_strpos(), mb_substr() only) via iconv. Falls back to regular strlen(), strpos(), substr() if iconv is not available. - Password hashing, dependant on CRYPT_BLOWFISH (2y version, available since PHP 5.3.7) availability.
2014-02-12Move mbstring/iconv configuration and MB_ENABLED, ICONV_ENABLED out of ↵Andrey Andreev2-38/+48
CI_Utf8::__construct() Also, use mb_substitute_character() instead of ini_set()
2014-02-11Utf8/iconv/mbstring-related changesAndrey Andreev1-6/+27
2014-02-112013 > 2014darwinel17-17/+17
Update copyright notices from 2013 to 2014. And update one calendar example in user_guide from year 2013/2014 to 2014/2015.
2014-02-10CI_Security: URL-decode until possibleAndrey Andreev1-1/+5
2014-02-10[ci skip] Fix a typoAndrey Andreev1-1/+1
2014-02-10CI_Security: Expect a backslash as a tag separatorAndrey Andreev1-2/+2
2014-02-10CI_Security: Filter jscript, wscript, vbs, confirm, prompt the same way as ↵Andrey Andreev1-6/+10
javascript, alert
2014-02-08Deprecate CI_Config::system_url()Andrey Andreev1-0/+1
2014-02-08CI_Input tweaksAndrey Andreev1-65/+20
- Make get_post(), post_get() and server()'s parameter mandatory. - Change default value of parameter to NULL for cookie(), input_stream() and _fetch_from_array() (for consistency with get(), post()). - Delegate Array-vs-single and parameter detection to _fetch_from_array() to overall simplify the code.
2014-02-03[ci skip] Update info on function_usableAndrey Andreev1-0/+5
2014-01-30Previous 2 commits were just dumbAndrey Andreev1-2/+2
2014-01-25Add <math> to 'naughty' HTML elementsAndrey Andreev1-1/+1
2014-01-25Previous commit caused side effects ...Andrey Andreev1-2/+2
2014-01-25Fix CI_Security::_remove_evil_attributes() being way too aggressiveAndrey Andreev1-2/+2
2014-01-25Re-add 'on\w*' to evil attributes (rel #2667)Andrey Andreev1-2/+1
2014-01-25Partially fix #2667Andrey Andreev1-2/+8
2014-01-24[ci skip] Add a link to PHP bug 54709 in is_really_writable()'s docblockAndrey Andreev1-0/+1
2014-01-24CI_Security: Also add <svg> to 'naughty' HTML elementsAndrey Andreev1-1/+1
2014-01-24CI_Security: Add <select> and <keygen> tags to the list of 'naughty' HTML ↵Andrey Andreev1-1/+1
elements
2014-01-24Fix syntax errorsAndrey Andreev1-2/+2
2014-01-24CI_Security: Add 'form' and 'xlink:href' to evil attributesAndrey Andreev1-1/+1
2014-01-24Add &newline; and &tab; to CI_Security::Andrey Andreev1-1/+3
2014-01-22CI_Security::_decode_entity() to replace dangerous HTML5 entitiesAndrey Andreev1-1/+19
Related to issue #2771
2014-01-21Add <button> to the list of 'naugthy' html elements in CI_Security::xss_clean()Andrey Andreev1-2/+2
2014-01-20Fix #2729Andrey Andreev1-2/+3
2014-01-20Merge branch 'develop' into feature/output_compressed_cacheAndrey Andreev1-4/+4
2014-01-18Fix #2829Andrey Andreev1-4/+4
2014-01-18Merge branch 'develop' into feature/output_compressed_cacheAndrey Andreev1-1/+1
2014-01-18Fix 2 Router-related errorsAndrey Andreev1-1/+1
2014-01-18Merge branch 'develop' into feature/output_compressed_cacheAndrey Andreev1-0/+3
2014-01-18Fix CI_URI:: not being properly indexedAndrey Andreev1-0/+3
2014-01-18Merge branch 'develop' into feature/output_compressed_cacheAndrey Andreev5-355/+293
2014-01-18Fix #2827Andrey Andreev1-1/+1
2014-01-17Merge branch 'feature/uri_routing_overhaul' into 'develop'Andrey Andreev3-352/+283
2014-01-17Add autoloading library aliasing support (supersedes PR #2824)Andrey Andreev1-2/+9
2014-01-16URI Routing overhaulAndrey Andreev3-352/+283
- Allow multiple levels of controller directories (supersedes PRs #390, #2439) - Add support for per-directory 'defaul_controller' and '404_override' (resolves issue #2611; supersedes PR #939) - Fixed a bug where default_controller was called instead of triggering 404 if the current route is inside a directory - Removed a few calls from CI_Router to CI_URI that made a necessity for otherwise internal CI_URI methods to be public: - Removed CI_URI::_fetch_uri_string() and moved its logic into CI_URI::__construct() - Removed CI_URI::_remove_url_suffix, CI_URI::_explode_segments() and moved their logic into CI_URI::_set_uri_string() - Removed CI_URI::_reindex_segments() altogether ( doesn't need further manipulation, while is public anyway and can be properly (and more effectively) replaced on the spot)
2014-01-15Fix #2799 by adding conditional PCRE UTF-8 support to CI_URI::filter_uri()Andrey Andreev2-2/+2
Also did a tiny micro-optimization in the Utf8 class.
2014-01-15Merge changes from developAndrey Andreev5-61/+82
2014-01-15Fix #2822: Incorrect usage of fwrite()Andrey Andreev2-15/+41
We only used to check (and not always) if the return value of fwrite() is boolean FALSE, while it is possible that the otherwise returned bytecount is less than the length of data that we're trying to write. This allowed incomplete writes over network streams and possibly a few other edge cases.
2014-01-15CI_URI changes related to the 'permitted_uri_chars' settingAndrey Andreev2-15/+26
- Initialize and cache the value in the class constructor instead of searching for it every time - Removed the preg_quote() call from _filter_uri() to allow more fine-tuning from configuration - Renamed _filter_uri() to filter_uri() - it was public anyway and using it cannot break anything Related: issue #2799
2014-01-15Fix incorrect checks for the fwrite() return valueAndrey Andreev1-1/+1
! fwrite() could trigger false-positives as it is possible for it to return 0 instead of boolean FALSE. (issue #2822) Also removed an unnecessary log level check that caused an extra space to be inserted for the INFO level. (proposed in PR #2821)
2014-01-10Finally get rid of the CI_Router::_set_overrides() callsAndrey Andreev2-38/+23
2014-01-10Use config_item() in CI_Output::__construct()Andrey Andreev1-3/+1
2014-01-10Compress output before storing it to cache, if output compression is enabledAndrey Andreev1-20/+62
Based on PR #964
2014-01-08Make newline standardization configurableAndrey Andreev1-4/+5
Added ['standardize_newlines'] Also altered the Session cookie driver, which experienced issues with this feature due to it's HMAC verification failing after the Input class alters newlines in non-encrypted session cookies. Supersedes PR #2470
2014-01-08Fix #346Andrey Andreev1-14/+24
When ['global_xss_filtering'] was turned on, the , , & superglobals were automatically overwritten. This resulted in one of the following problems: - xss_clean() being called twice - Inability to retrieve the original (not filtered) value XSS filtering is now only applied on demand by the Input class, and the default value for the parameter in CI_Input methods is changed to NULL. Unless a boolean value is passed to them, whether XSS filtering is applied depends on the ['global_xss_filtering'] value.
2014-01-08Fix #148Andrey Andreev1-4/+6
CI_Input::_clean_input_data() assumed that all input data is URL-encoded while sanitizing it. However, PHP already performs URL-decoding on it, so this is either redudant or overly intrusive as it resulted in many, many reports of data containing '%' followed by 1 numeric characters being essentially destroyed. Supersedes PR #1229
2014-01-08Optimize get_instance() calls/assignmentsAndrey Andreev2-4/+2
2014-01-08Update the CI_Hooks classMarcos SF Filho1-18/+16