From 3f6573b15c7395a76b9ee5e810331975baf080cf Mon Sep 17 00:00:00 2001 From: Florian Pritz Date: Thu, 18 Jul 2013 12:34:27 +0200 Subject: file/download: output html directly, don't use output class $this->output->parse_exec_vars is a protected variable so we can't access it like the documentation suggests (yes this is a bug that should be reported...), but even if it worked I'm not confident the output class should be trusted with arbitrary input. Upstream might at some point add another "feature" so this is the safe way to go. Signed-off-by: Florian Pritz --- application/controllers/file.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'application/controllers/file.php') diff --git a/application/controllers/file.php b/application/controllers/file.php index f2797e7e7..2ff774c8a 100644 --- a/application/controllers/file.php +++ b/application/controllers/file.php @@ -195,9 +195,12 @@ class File extends CI_Controller { Falling back to plain text.

"; } - $this->load->view($this->var->view_dir.'/html_header', $this->data); - $this->output->append_output($cached["output"]); - $this->load->view($this->var->view_dir.'/html_footer', $this->data); + // Don't use append_output because the output class does too + // much magic ({elapsed_time} and {memory_usage}). + // Direct echo puts us on the safe side. + echo $this->load->view($this->var->view_dir.'/html_header', $this->data, true); + echo $cached["output"]; + echo $this->load->view($this->var->view_dir.'/html_footer', $this->data, true); } private function _pygmentize($file, $lexer) -- cgit v1.2.3-24-g4f1b