summaryrefslogtreecommitdiffstats
path: root/system/libraries/Input.php
AgeCommit message (Collapse)AuthorFilesLines
2009-02-05replaced $this->config-> with $CFG-> in ip_address()Derek Jones1-2/+4
2009-02-04added proxy_ips config item to whitelist reverse proxy servers to use the ↵Derek Jones1-2/+9
HTTP_X_FORWARDED_FOR header safely to determine the visitor's IP address
2009-02-04improvements to xss_clean()Derek Jones1-5/+6
2008-12-05fixed a bug where whitespace would be lost if a string was forced into a ↵Derek Jones1-1/+1
character entity e.g. &foo you know? would become &foo;you know? instead of &foo; you know?
2008-11-13Changing EOL style to LFDerek Allard1-1058/+1058
2008-11-12Propset eol-style to CRLFDerek Jones1-1058/+1058
simplified paragraph tag cleanup regex
2008-11-05whitespaceDerek Allard1-1058/+1058
2008-10-17syntax simplification for testing first character of stringDerek Jones1-1/+1
if (substr($ip_segments[0], 0, 1) == '0') to if ($ip_segments[0][0] == '0')
2008-10-17added validation of IP segments to make sure they aren't empty, e.g. 127.0..1Derek Jones1-1/+1
-Derek
2008-10-17removed a globalRick Ellis1-1/+1
2008-10-07syntax errorDerek Jones1-1/+1
2008-10-07unset $Version, $Path, and $Domain cookie keys, to prevent Disallowed Key ↵Derek Jones1-0/+8
Characters from halting app execution on environments which improperly set these as keys
2008-09-13(no commit message)Rick Ellis1-1/+1
2008-09-04removed random invisible character (ASCII 194) from HTML and PHP filesDerek Jones1-3/+3
2008-08-27added isindex to the list of naughty never allowed tags in xss_clean()Derek Jones1-1/+1
2008-08-27modified regex for image tag sanitization to retain trailing space and ↵Derek Jones1-1/+1
closing slash to remain valid XHTML
2008-08-15changed entity standardization to require at least two characters after an ↵Derek Jones1-1/+1
ampersand before forcing a semi-colon
2008-07-03re-included URL encoded characters within _remove_invisible_characters() ↵Derek Jones1-1/+3
which were mistakenly pulled out in a previous commit, not released
2008-07-03changed link and image regex to be more precise in matching tags, reducing ↵Derek Jones1-3/+3
false positive matches
2008-07-01Changed regex for onfoo event handlers to prevent unwanted matching of text ↵Derek Jones1-4/+4
such as locatiON, cONtent, etc.
2008-06-30whitespaceDerek Jones1-1/+0
2008-06-30simplified regex for _remove_invisible_characters() - since we ↵Derek Jones1-5/+4
rawurldecode() the string, there's no need to go looking for url encoded characters here
2008-06-25fixed accidental removal of $converted_string in xss_clean() for image ↵Derek Jones1-0/+5
comparison
2008-06-25added a bit of leeway for images to avoid the more common false-positives ↵Derek Jones1-2/+11
that using xss_clean() on image files might trigger
2008-06-25Further improvements to xss_clean()Derek Jones1-47/+83
2008-06-20Added get_post() to the Input class.Derek Allard1-0/+22
Documented get() in the Input class.
2008-06-04picky picky Jones adjusts some syntaxDerek Jones1-2/+1
2008-06-04a few tweaks for speedDerek Allard1-3/+4
2008-06-04simplified and refactored input filtering and retrievalDerek Jones1-97/+32
2008-06-04emendation to on* event handler removalDerek Jones1-3/+2
2008-05-30decided just to kill all on*= event handlers, rather than trying to keep up ↵Derek Jones1-2/+2
with (and require users to do the same) with a blacklist.
2008-05-30moved word compacting to a callback for clarity, added a few js event ↵Derek Jones1-3/+20
handlers for removal
2008-05-21more complete protection against malformed link tags to protect against hex ↵Derek Jones1-13/+25
entities and href=data:url exploits
2008-05-20improved security in xss_clean(), added <audio> and <video> tags to naughty ↵Derek Jones1-22/+14
HTML tags, and the HTML5 event handlers onerror and onended
2008-05-15addition xss protection against certain data urls, stripping of anything ↵Derek Jones1-2/+12
sent with utf-7 encoding
2008-05-15added ability to use xss_clean() to test images, and improved security for ↵Derek Jones1-37/+49
vectors particular to the Opera family of browsers
2008-05-13Hey you! Yeah, you, that other set of hardcoded arrays in xss_clean(). ↵Derek Jones1-21/+3
You're coming with me, pal!
2008-05-13increased security and performance of xss_clean(), added ↵Derek Jones1-24/+56
_sanitize_naughty_html() callback and removed "never allowed" items to a class property
2008-05-13Some sweeping syntax changes for consistency:Derek Jones1-15/+21
(! foo) changed to ( ! foo) || changed to OR changed newline standardization code in various places from preg_replace to str_replace
2008-05-12fixed a misspelling in the Input library of CDATADerek Allard1-1/+1
2008-05-12removed an ereg from configDerek Allard1-110/+112
added a qualifier to a str_replace for \t in Input changed substr to strncmp in Codeigniter.php and directory_map function added braces in an if statement of unit test Removed "scripts" from the auto-load search path. Scripts were deprecated in Version 1.4.1 (September 21, 2006). If you still need to use them for legacy reasons, they must now be manually loaded in each Controller.
2008-05-12Added protection in xss_clean() for GET variables in URLsDerek Jones1-3/+55
http://codeigniter.com/bug_tracker/bug/4167/
2008-05-11Removed closing PHP tags, replaced with a comment block identifying the end ↵Derek Jones1-1/+3
of the file
2008-05-11Undoing change committed in r1115Derek Jones1-0/+1
2008-05-11removed closing PHP tag from all framework filesDerek Jones1-1/+0
2008-05-05Added get_dir_file_info(), get_file_info(), and get_mime_by_extension() to ↵Derek Allard1-11/+11
the File Helper. Changed ( ! condition) into (! condition) within the code
2008-02-05* Fixed a bug (#3396) where certain POST variables would cause a PHP warning.Derek Jones1-6/+15
* Added $_SERVER, $_FILES, $_ENV, and $_SESSION to sanitization of globals.
2008-02-04changed URL decoding implementation of xss_clean() to use rawurldecode() to ↵Derek Jones1-6/+3
discontinue misconversion of characters to bad entities, and to continue avoidance of unwanted removal of + signs
2008-01-24added CI's global variables to the protected array in_sanitize_globals()Derek Jones1-3/+4
2008-01-21replaced www.codeigniter.com with codeigniter.comDerek Jones1-3/+3