Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2015-10-31 | [ci skip] Update changelog, version & upgrade instructions | Andrey Andreev | 1 | -1/+1 | |
2015-10-31 | Prevent Host header injections | Andrey Andreev | 1 | -4/+2 | |
2015-10-31 | Harden xss_clean() | Andrey Andreev | 1 | -27/+39 | |
2015-10-30 | Fix #3201 | Andrey Andreev | 1 | -1/+6 | |
2015-10-12 | [ci skip] This is 3.0.3-dev | Andrey Andreev | 1 | -1/+1 | |
2015-10-08 | [ci skip] Prepare 3.0.2 release | Andrey Andreev | 1 | -1/+1 | |
2015-10-05 | Some more intrusive XSS cleaning | Andrey Andreev | 1 | -5/+11 | |
2015-10-02 | More XSS stuff | Andrey Andreev | 1 | -1/+1 | |
2015-09-24 | Fix #4137 | Andrey Andreev | 1 | -1/+1 | |
2015-09-21 | More XSS stuff | Andrey Andreev | 1 | -3/+3 | |
2015-09-17 | Don't allow open-ended tags to pass through xss_clean() | Andrey Andreev | 1 | -4/+9 | |
This was a regression caused by the previous commit | |||||
2015-09-17 | Refactor 'evil attributes' sanitization logic | Andrey Andreev | 1 | -92/+66 | |
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes(). | |||||
2015-09-15 | Missing character in the evil attributes pattern | Andrey Andreev | 1 | -1/+1 | |
2015-09-14 | Another addition to tag detection patterns in xss_clean() | Andrey Andreev | 1 | -1/+4 | |
2015-09-14 | Close #4098 | Andrey Andreev | 1 | -2/+18 | |
2015-09-14 | Fix #4109 | Andrey Andreev | 1 | -20/+22 | |
2015-09-14 | Add 'eval' to a JS blacklist in xss_clean() | Andrey Andreev | 1 | -7/+10 | |
2015-09-14 | Move _remove_evil_attributes() call | Andrey Andreev | 1 | -4/+3 | |
2015-09-11 | Harden xss_clean() more | Andrey Andreev | 1 | -5/+37 | |
This time eliminate false positives for the 'naughty html' logic. | |||||
2015-09-11 | Improve on previous commit | Andrey Andreev | 1 | -1/+1 | |
2015-09-11 | Replace the latest XSS patches | Andrey Andreev | 1 | -9/+21 | |
This one fixes yet another issue, is cleaner and faster. | |||||
2015-09-10 | Last commit didn't adjust a RE index | Andrey Andreev | 1 | -1/+1 | |
2015-09-10 | Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4 | Andrey Andreev | 1 | -2/+2 | |
2015-09-10 | Fix #4106 | Andrey Andreev | 1 | -2/+2 | |
2015-09-07 | Remove unnecessary count() calls from _sanitize_globals() | Andrey Andreev | 1 | -3/+3 | |
foreach() just won't execute for an empty array, it does that check internally. | |||||
2015-09-07 | Move csrf_verify() call out of _sanitize_globals() | Andrey Andreev | 1 | -6/+6 | |
It doesn't belong in there. | |||||
2015-08-17 | Allow capitals in the middle of model names | Andrey Andreev | 1 | -1/+1 | |
Requested in #4059 | |||||
2015-08-15 | Fix #4056 | Andrey Andreev | 1 | -1/+1 | |
2015-08-14 | Fix #4052 | Andrey Andreev | 1 | -20/+0 | |
The bug actually had two instances: - Callback routes with literal matches and HTTP verbs has never worked - The reported issue in #4052, which is a regression introduced in 3.0.1 with abc299b3a234eb7da1b7e3d257b7eba2da649219 Removed the literal matches logic altogether to avoid similar issues in the future and reduce code complexity. The same logic is performed with the regular expressions logic. | |||||
2015-08-13 | Fix typo in comments | Claudio Galdiolo | 1 | -1/+1 | |
2015-08-07 | [ci skip] Start of 3.0.2-dev | Andrey Andreev | 1 | -1/+1 | |
2015-08-05 | Fix #4027 | Andrey Andreev | 1 | -8/+12 | |
2015-08-03 | [ci skip] Normalize tabs/spaces | Andrey Andreev | 2 | -3/+3 | |
Partial changes from PR #4016 | |||||
2015-07-28 | Fix #4005 | Andrey Andreev | 1 | -1/+1 | |
2015-07-27 | Close #4004 | Andrey Andreev | 1 | -1/+3 | |
2015-07-24 | Fixed typos | Calvin Tam | 1 | -1/+1 | |
2015-07-22 | Remove eval()-related logic from function_exists() | Andrey Andreev | 1 | -13/+3 | |
#3991 shows that all such checks are useless as function_exists('eval') will always return FALSE. | |||||
2015-07-22 | Add class_exists() checks to CI_Loader::model() | Andrey Andreev | 1 | -12/+26 | |
Helps debugging in case of controller/model/library class name collision. | |||||
2015-07-22 | Fix #3991 | Andrey Andreev | 1 | -1/+1 | |
2015-07-17 | Fix #3752 | Andrey Andreev | 1 | -21/+22 | |
2015-07-15 | [ci skip] Revert styleguide violations from PR #3828 | Andrey Andreev | 1 | -3/+3 | |
2015-07-15 | Merge branch 'patch-1' of github.com:w0den/CodeIgniter into feature/output_cache | Andrey Andreev | 1 | -7/+28 | |
2015-07-15 | Fix a Typo | Mohammad Sadegh Dehghan Niri | 1 | -1/+1 | |
2015-07-06 | fix typo in router class | ftwbzhao | 1 | -1/+1 | |
2015-06-08 | Fix #3890 | Andrey Andreev | 1 | -5/+13 | |
2015-05-11 | Improve Cache Query String behaviour | w0den | 1 | -6/+27 | |
Typically, in most cases, we do not need to cache all the Query String variables. That's why I suggest to improve `Cache Include Query String` behaviour — allow the developer to independently specify which variables should be cached. For example, consider a query to the following URL address: http://site.com/search?q=query&page=2&session=abcd&utm_source=web In this case we don't need to build md5 hash for entire query string, because `session` or `utm_source` can be different for all users. The only variables which should be used for md5 hash should be `q` and `page`. Thus, in `config.php` we can use `$config['cache_query_string'] = array('page', 'q');`. So: `$config['cache_query_string'] = FALSE;` → Cache Include Query String is disabled `$config['cache_query_string'] = TRUE;` → Cache Include Query String is enabled for all `$config['cache_query_string'] = array('page', 'q');` → enabled only for specified variables | |||||
2015-05-02 | Bug Fix manually delete caching method | w0den | 1 | -1/+1 | |
According to documentation, to manually delete cache for page "/foo/bar" we should run $this->output->delete_cache('/foo/bar'), but in this case MD5 hash will be calculated for "http://site.com//foo/bar" and this is why, we should pass $uri without beginning slash (ie, "foo/bar"). But the problem is that there is no way to delete cache for home page because: 1) $this->output->delete_cache('/') — MD5 hash will be calculated for "http://site.com//" and cache file will not be deleted. 2) $this->output->delete_cache('') — MD5 hash will be calculated for "http://site.com/%CURRENT_PAGE%" and again, cache file will not be deleted. Trimming the beginning slash, we enable ability to delete cache for home page by calling $this->output->delete_cache('/'). Also, this method will work as specified in the documentation. | |||||
2015-04-23 | Output cache: Fixing a wrong timestamp. Credits to khoggatt (CodeIgniter forum). | Ivan Tcholakov | 1 | -1/+1 | |
2015-04-20 | [ci skip] Remove whitespace | Andrey Andreev | 1 | -1/+1 | |
2015-04-14 | Status Code Definitions | ftwbzhao | 1 | -0/+4 | |