summaryrefslogtreecommitdiffstats
path: root/system/core
AgeCommit message (Collapse)AuthorFilesLines
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev1-4/+3
2015-09-11Harden xss_clean() moreAndrey Andreev1-5/+37
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev1-1/+1
2015-09-11Replace the latest XSS patchesAndrey Andreev1-9/+21
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev1-1/+1
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-2/+2
2015-09-10Fix #4106Andrey Andreev1-2/+2
2015-09-07Remove unnecessary count() calls from _sanitize_globals()Andrey Andreev1-3/+3
foreach() just won't execute for an empty array, it does that check internally.
2015-09-07Move csrf_verify() call out of _sanitize_globals()Andrey Andreev1-6/+6
It doesn't belong in there.
2015-08-17Allow capitals in the middle of model namesAndrey Andreev1-1/+1
Requested in #4059
2015-08-15Fix #4056Andrey Andreev1-1/+1
2015-08-14Fix #4052Andrey Andreev1-20/+0
The bug actually had two instances: - Callback routes with literal matches and HTTP verbs has never worked - The reported issue in #4052, which is a regression introduced in 3.0.1 with abc299b3a234eb7da1b7e3d257b7eba2da649219 Removed the literal matches logic altogether to avoid similar issues in the future and reduce code complexity. The same logic is performed with the regular expressions logic.
2015-08-13Fix typo in commentsClaudio Galdiolo1-1/+1
2015-08-07[ci skip] Start of 3.0.2-devAndrey Andreev1-1/+1
2015-08-05Fix #4027Andrey Andreev1-8/+12
2015-08-03[ci skip] Normalize tabs/spacesAndrey Andreev2-3/+3
Partial changes from PR #4016
2015-07-28Fix #4005Andrey Andreev1-1/+1
2015-07-27Close #4004Andrey Andreev1-1/+3
2015-07-24Fixed typosCalvin Tam1-1/+1
2015-07-22Remove eval()-related logic from function_exists()Andrey Andreev1-13/+3
#3991 shows that all such checks are useless as function_exists('eval') will always return FALSE.
2015-07-22Add class_exists() checks to CI_Loader::model()Andrey Andreev1-12/+26
Helps debugging in case of controller/model/library class name collision.
2015-07-22Fix #3991Andrey Andreev1-1/+1
2015-07-17Fix #3752Andrey Andreev1-21/+22
2015-07-15[ci skip] Revert styleguide violations from PR #3828Andrey Andreev1-3/+3
2015-07-15Merge branch 'patch-1' of github.com:w0den/CodeIgniter into feature/output_cacheAndrey Andreev1-7/+28
2015-07-15Fix a TypoMohammad Sadegh Dehghan Niri1-1/+1
2015-07-06fix typo in router classftwbzhao1-1/+1
2015-06-08Fix #3890Andrey Andreev1-5/+13
2015-05-11Improve Cache Query String behaviourw0den1-6/+27
Typically, in most cases, we do not need to cache all the Query String variables. That's why I suggest to improve `Cache Include Query String` behaviour — allow the developer to independently specify which variables should be cached. For example, consider a query to the following URL address: http://site.com/search?q=query&page=2&session=abcd&utm_source=web In this case we don't need to build md5 hash for entire query string, because `session` or `utm_source` can be different for all users. The only variables which should be used for md5 hash should be `q` and `page`. Thus, in `config.php` we can use `$config['cache_query_string'] = array('page', 'q');`. So: `$config['cache_query_string'] = FALSE;` → Cache Include Query String is disabled `$config['cache_query_string'] = TRUE;` → Cache Include Query String is enabled for all `$config['cache_query_string'] = array('page', 'q');` → enabled only for specified variables
2015-05-02Bug Fix manually delete caching methodw0den1-1/+1
According to documentation, to manually delete cache for page "/foo/bar" we should run $this->output->delete_cache('/foo/bar'), but in this case MD5 hash will be calculated for "http://site.com//foo/bar" and this is why, we should pass $uri without beginning slash (ie, "foo/bar"). But the problem is that there is no way to delete cache for home page because: 1) $this->output->delete_cache('/') — MD5 hash will be calculated for "http://site.com//" and cache file will not be deleted. 2) $this->output->delete_cache('') — MD5 hash will be calculated for "http://site.com/%CURRENT_PAGE%" and again, cache file will not be deleted. Trimming the beginning slash, we enable ability to delete cache for home page by calling $this->output->delete_cache('/'). Also, this method will work as specified in the documentation.
2015-04-23Output cache: Fixing a wrong timestamp. Credits to khoggatt (CodeIgniter forum).Ivan Tcholakov1-1/+1
2015-04-20[ci skip] Remove whitespaceAndrey Andreev1-1/+1
2015-04-14Status Code Definitionsftwbzhao1-0/+4
2015-04-08[ci skip] Fix comment typosAndrey Andreev1-1/+1
https://github.com/bcit-ci/CodeIgniter/pull/3748#issuecomment-90925762
2015-04-08typomult1mate1-1/+1
2015-04-04Fix #3733Andrey Andreev1-4/+1
Close #3734
2015-04-01[ci skip] Update version numbersAndrey Andreev1-1/+1
2015-04-01Mitigate potential DoS attacks against hash_pbkdf2()Andrey Andreev1-2/+49
Related: #3720
2015-03-31[ci skip] Fix a wrong docblock linkAndrey Andreev1-1/+1
2015-03-31Merge branch 'develop' of github.com:bcit-ci/CodeIgniter into developAndrey Andreev1-1/+1
2015-03-31[ci skip] Update version numberAndrey Andreev1-1/+1
2015-03-30Fix whitespace in previous commitmwhitneysdsu1-1/+1
2015-03-30Fix logged path to match checked path in loadermwhitneysdsu1-1/+1
This is to fix a logged path missed in 8f5c1780706113c926bb7801db27dbae97d00fcf
2015-03-30Use tabs instead of spacesCyrille TOULET1-11/+11
Signed-off-by: Cyrille TOULET <cyrille.toulet@linux.com>
2015-03-29Fix an "strpos(): Empty needle" warningCyrille TOULET1-8/+11
Signed-off-by: Cyrille TOULET <cyrille.toulet@linux.com>
2015-03-27Fix an "strpos(): Empty needle" warningCyrille TOULET1-2/+2
Signed-off-by: Cyrille TOULET <cyrille.toulet@linux.com>
2015-03-26Minor fixes in CI_Security::entity_decode()Andrey Andreev1-4/+4
2015-03-26Add FSCommand and seekSegmentTime to evil HTML attributes listAndrey Andreev1-1/+1
2015-03-25Merge pull request #3696 from logsdon/developAndrey Andreev1-0/+5
Allow html_escape() to accept empty arrays