summaryrefslogtreecommitdiffstats
path: root/system/core
AgeCommit message (Collapse)AuthorFilesLines
2016-01-20[ci skip] Fix a documentation error on output cache timesAndrey Andreev1-1/+1
2016-01-13[ci skip] Mark the start of 3.0.5 developmentAndrey Andreev1-1/+1
2016-01-11[ci skip] Update ellislab.com links to https tooAndrey Andreev21-21/+21
2016-01-11[ci skip] Update codeigniter.com links to httpsAndrey Andreev21-42/+42
2016-01-11[ci skip] Bump year to 2016Andrey Andreev21-42/+42
2016-01-04Fix #4350Andrey Andreev1-1/+31
2015-12-07Merge pull request #4291 from b-kaxa/fix-phpdocAndrey Andreev2-1/+2
[ci skip] phpdoc adjustments in CI_Router and CI_URI
2015-11-24Use PHP7's random_bytes() when possibleAndrey Andreev1-0/+16
Close #4260
2015-11-09Merge pull request #4217 from natesilva/fix-ipv6-base_urlAndrey Andreev1-1/+10
Build base_url correctly if SERVER_ADDR is IPv6
2015-11-04[ci skip] Start of 3.0.4 developmentAndrey Andreev1-1/+1
2015-10-31[ci skip] Update changelog, version & upgrade instructionsAndrey Andreev1-1/+1
2015-10-31Prevent Host header injectionsAndrey Andreev1-4/+2
2015-10-31Harden xss_clean()Andrey Andreev1-27/+39
2015-10-30Fix #3201Andrey Andreev1-1/+6
2015-10-12[ci skip] This is 3.0.3-devAndrey Andreev1-1/+1
2015-10-08[ci skip] Prepare 3.0.2 releaseAndrey Andreev1-1/+1
2015-10-05Some more intrusive XSS cleaningAndrey Andreev1-5/+11
2015-10-02More XSS stuffAndrey Andreev1-1/+1
2015-09-24Fix #4137Andrey Andreev1-1/+1
2015-09-21More XSS stuffAndrey Andreev1-3/+3
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev1-4/+9
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev1-92/+66
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev1-1/+4
2015-09-14Close #4098Andrey Andreev1-2/+18
2015-09-14Fix #4109Andrey Andreev1-20/+22
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev1-4/+3
2015-09-11Harden xss_clean() moreAndrey Andreev1-5/+37
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev1-1/+1
2015-09-11Replace the latest XSS patchesAndrey Andreev1-9/+21
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev1-1/+1
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-2/+2
2015-09-10Fix #4106Andrey Andreev1-2/+2
2015-09-07Remove unnecessary count() calls from _sanitize_globals()Andrey Andreev1-3/+3
foreach() just won't execute for an empty array, it does that check internally.
2015-09-07Move csrf_verify() call out of _sanitize_globals()Andrey Andreev1-6/+6
It doesn't belong in there.
2015-08-17Allow capitals in the middle of model namesAndrey Andreev1-1/+1
Requested in #4059
2015-08-15Fix #4056Andrey Andreev1-1/+1
2015-08-14Fix #4052Andrey Andreev1-20/+0
The bug actually had two instances: - Callback routes with literal matches and HTTP verbs has never worked - The reported issue in #4052, which is a regression introduced in 3.0.1 with abc299b3a234eb7da1b7e3d257b7eba2da649219 Removed the literal matches logic altogether to avoid similar issues in the future and reduce code complexity. The same logic is performed with the regular expressions logic.
2015-08-13Fix typo in commentsClaudio Galdiolo1-1/+1
2015-08-07[ci skip] Start of 3.0.2-devAndrey Andreev1-1/+1
2015-08-05Fix #4027Andrey Andreev1-8/+12
2015-08-03[ci skip] Normalize tabs/spacesAndrey Andreev2-3/+3
Partial changes from PR #4016
2015-07-28Fix #4005Andrey Andreev1-1/+1
2015-07-27Close #4004Andrey Andreev1-1/+3
2015-07-24Fixed typosCalvin Tam1-1/+1
2015-07-22Remove eval()-related logic from function_exists()Andrey Andreev1-13/+3
#3991 shows that all such checks are useless as function_exists('eval') will always return FALSE.
2015-07-22Add class_exists() checks to CI_Loader::model()Andrey Andreev1-12/+26
Helps debugging in case of controller/model/library class name collision.
2015-07-22Fix #3991Andrey Andreev1-1/+1
2015-07-17Fix #3752Andrey Andreev1-21/+22