From e6a5f797de7381791537b736eb83b71c6fb28b39 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 7 Mar 2016 11:34:43 +0200 Subject: [ci skip] Fix Profiler not applying htmlspecialchars() to all inputs --- system/libraries/Profiler.php | 44 +++++++++++++++---------------------- user_guide_src/source/changelog.rst | 1 + 2 files changed, 19 insertions(+), 26 deletions(-) diff --git a/system/libraries/Profiler.php b/system/libraries/Profiler.php index cc7641436..cf455d3da 100644 --- a/system/libraries/Profiler.php +++ b/system/libraries/Profiler.php @@ -314,12 +314,14 @@ class CI_Profiler { foreach ($_GET as $key => $val) { - is_int($key) OR $key = "'".$key."'"; + is_int($key) OR $key = "'".htmlspecialchars($key, ENT_QUOTES, config_item('charset'))."'"; + $val = (is_array($val) OR is_object($val)) + ? '
'.htmlspecialchars(print_r($val, TRUE), ENT_QUOTES, config_item('charset'))
+					: htmlspecialchars($val, ENT_QUOTES, config_item('charset'));
 
 				$output .= '$_GET['
 					.$key.']   '
-					.((is_array($val) OR is_object($val)) ? '
'.htmlspecialchars(stripslashes(print_r($val, TRUE))).'
' : htmlspecialchars(stripslashes($val))) - ."\n"; + .$val."\n"; } $output .= "\n"; @@ -352,36 +354,26 @@ class CI_Profiler { foreach ($_POST as $key => $val) { - is_int($key) OR $key = "'".$key."'"; + is_int($key) OR $key = "'".htmlspecialchars($key, ENT_QUOTES, config_item('charset'))."'"; + $val = (is_array($val) OR is_object($val)) + ? '
'.htmlspecialchars(print_r($val, TRUE), ENT_QUOTES, config_item('charset'))
+					: htmlspecialchars($val, ENT_QUOTES, config_item('charset'));
 
 				$output .= '$_POST['
-					.$key.']   ';
-
-				if (is_array($val) OR is_object($val))
-				{
-					$output .= '
'.htmlspecialchars(stripslashes(print_r($val, TRUE))).'
'; - } - else - { - $output .= htmlspecialchars(stripslashes($val)); - } - - $output .= "\n"; + .$key.']   ' + .$val."\n"; } foreach ($_FILES as $key => $val) { - is_int($key) OR $key = "'".$key."'"; + is_int($key) OR $key = "'".htmlspecialchars($key, ENT_QUOTES, config_item('charset'))."'"; + $val = (is_array($val) OR is_object($val)) + ? '
'.htmlspecialchars(print_r($val, TRUE), ENT_QUOTES, config_item('charset'))
+					: htmlspecialchars($val, ENT_QUOTES, config_item('charset'));
 
 				$output .= '$_FILES['
-					.$key.']   ';
-
-				if (is_array($val) OR is_object($val))
-				{
-					$output .= '
'.htmlspecialchars(stripslashes(print_r($val, TRUE))).'
'; - } - - $output .= "\n"; + .$key.']   ' + .$val."\n"; } $output .= "\n"; @@ -465,7 +457,7 @@ class CI_Profiler { foreach (array('HTTP_ACCEPT', 'HTTP_USER_AGENT', 'HTTP_CONNECTION', 'SERVER_PORT', 'SERVER_NAME', 'REMOTE_ADDR', 'SERVER_SOFTWARE', 'HTTP_ACCEPT_LANGUAGE', 'SCRIPT_NAME', 'REQUEST_METHOD',' HTTP_HOST', 'REMOTE_HOST', 'CONTENT_TYPE', 'SERVER_PROTOCOL', 'QUERY_STRING', 'HTTP_ACCEPT_ENCODING', 'HTTP_X_FORWARDED_FOR', 'HTTP_DNT') as $header) { - $val = isset($_SERVER[$header]) ? $_SERVER[$header] : ''; + $val = isset($_SERVER[$header]) ? htmlspecialchars($_SERVER[$header], ENT_QUOTES, config_item('charset')) : ''; $output .= '' .$header.'  '.$val."\n"; } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 12d1fc4a3..4f2bfc04e 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -39,6 +39,7 @@ Bug fixes for 3.0.5 - Fixed a bug where :doc:`Session Library ` didn't clean-up internal variables for emulated locks with the 'memcached' driver. - Fixed a bug where :doc:`Database ` transactions didn't work with the 'ibase' driver. - Fixed a bug (#4475) - :doc:`Security Library ` method ``strip_image_tags()`` preserves only the first URL character from non-quoted *src* attributes. +- Fixed a bug where :doc:`Profiler Library ` didn't apply ``htmlspecialchars()`` to all displayed inputs. Version 3.0.4 ============= -- cgit v1.2.3-24-g4f1b