summaryrefslogtreecommitdiffstats
path: root/system
AgeCommit message (Collapse)AuthorFilesLines
2015-10-31Harden xss_clean()Andrey Andreev1-27/+39
2015-10-30Fix #4192Andrey Andreev1-5/+8
2015-10-30Fix #3201Andrey Andreev1-1/+6
2015-10-19Fix #4171 and a number of other transaction bugsAndrey Andreev13-354/+162
2015-10-19Fix #4173Andrey Andreev1-1/+7
This reverts commit 7cc6cea2d421862726081a39e932dbceeefcc775 from PR #3968. At the time this seemed logical, but turns out it breaks the ability to create non-PRIMARY composite keys, so ...
2015-10-18Fix #4179Andrey Andreev1-0/+4
2015-10-13[ci skip] Fix #4170Andrey Andreev1-3/+1
2015-10-12Merge branch '3.0-stable' into developAndrey Andreev16-177/+240
2015-10-12[ci skip] This is 3.0.3-devAndrey Andreev1-1/+1
2015-10-12Optimize csv_from_result speed.Ahmad Anbar1-2/+3
2015-10-10Optimize csv_from_result speed.Ahmad Anbar1-2/+3
2015-10-08[ci skip] Prepare 3.0.2 releaseAndrey Andreev1-1/+1
2015-10-05Some more intrusive XSS cleaningAndrey Andreev1-5/+11
2015-10-05Close #4155Andrey Andreev1-1/+1
2015-10-02More XSS stuffAndrey Andreev1-1/+1
2015-09-29Merge pull request #4126 from zoaked/patch-1Andrey Andreev1-1/+0
Persist config file rules when using FV reset_validation()
2015-09-26Removing config_rules from reset_validationzoaked1-6/+1
Signed-off-by: Junior Asparagus<zoaked@hotmail.com>
2015-09-24Fix #4137Andrey Andreev1-1/+1
2015-09-22Styling changeszoaked1-3/+5
2015-09-21More XSS stuffAndrey Andreev1-3/+3
2015-09-21Switch from saving copy of config to reset method parameterzoaked1-4/+5
2015-09-20Persist config file settings when resetting form_validationzoaked1-2/+3
When checking multiple arrays using form_validation you have to call reset_validation between each separate check due to the instance of the library being a singleton. The issue comes in when the settings are loaded from a config file as they are initially loaded from a parameter in the constructor, but are set to an empty array when resetting the class. To get around this issue a copy of the config parameter is made and then the copy is used to reset the rules when clearing.
2015-09-17Don't allow open-ended tags to pass through xss_clean()Andrey Andreev1-4/+9
This was a regression caused by the previous commit
2015-09-17Refactor 'evil attributes' sanitization logicAndrey Andreev1-92/+66
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
2015-09-16Fix #4116Andrey Andreev1-6/+6
Close #4117
2015-09-16Fix #4120Andrey Andreev1-3/+13
2015-09-15Missing character in the evil attributes patternAndrey Andreev1-1/+1
2015-09-14Another addition to tag detection patterns in xss_clean()Andrey Andreev1-1/+4
2015-09-14Close #4098Andrey Andreev1-2/+18
2015-09-14Fix #4032Andrey Andreev1-5/+8
2015-09-14Fix #4044Andrey Andreev1-5/+5
2015-09-14Fix #4109Andrey Andreev1-20/+22
2015-09-14Add 'eval' to a JS blacklist in xss_clean()Andrey Andreev1-7/+10
2015-09-14Move _remove_evil_attributes() callAndrey Andreev1-4/+3
2015-09-11Harden xss_clean() moreAndrey Andreev1-5/+37
This time eliminate false positives for the 'naughty html' logic.
2015-09-11Improve on previous commitAndrey Andreev1-1/+1
2015-09-11Replace the latest XSS patchesAndrey Andreev1-9/+21
This one fixes yet another issue, is cleaner and faster.
2015-09-10Last commit didn't adjust a RE indexAndrey Andreev1-1/+1
2015-09-10Fix & extend 700619cebf75c4e4fcda6a2d7bea1afb84a029e4Andrey Andreev1-2/+2
2015-09-10Change form validation library to allow the pipe character within square ↵rich1-1/+1
brackets
2015-09-10Fix #4106Andrey Andreev1-2/+2
2015-09-09Change form validation library to allow the pipe character within square ↵rich1-1/+1
brackets
2015-09-07Remove unnecessary count() calls from _sanitize_globals()Andrey Andreev1-3/+3
foreach() just won't execute for an empty array, it does that check internally.
2015-09-07Move csrf_verify() call out of _sanitize_globals()Andrey Andreev1-6/+6
It doesn't belong in there.
2015-09-03Fix #4096Andrey Andreev1-1/+1
2015-09-01Fix #4093Andrey Andreev1-1/+1
2015-09-01There was an extra = sign in this fileMarco Monteiro1-1/+1
2015-08-31[ci skip] Fix #4091Andrey Andreev1-1/+1
2015-08-31Fix #4086Andrey Andreev1-13/+13
2015-08-31Fix #4073Andrey Andreev1-7/+16