From 5ac428bea999a332b46b17fe26ee0045e5cfd39c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Wed, 8 Jan 2014 16:07:31 +0200 Subject: Fix #148 CI_Input::_clean_input_data() assumed that all input data is URL-encoded while sanitizing it. However, PHP already performs URL-decoding on it, so this is either redudant or overly intrusive as it resulted in many, many reports of data containing '%' followed by 1 numeric characters being essentially destroyed. Supersedes PR #1229 --- system/core/Input.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'system') diff --git a/system/core/Input.php b/system/core/Input.php index ded462190..164867636 100644 --- a/system/core/Input.php +++ b/system/core/Input.php @@ -687,9 +687,11 @@ class CI_Input { // but that when present will trip our 'Disallowed Key Characters' alarm // http://www.ietf.org/rfc/rfc2109.txt // note that the key names below are single quoted strings, and are not PHP variables - unset($_COOKIE['$Version']); - unset($_COOKIE['$Path']); - unset($_COOKIE['$Domain']); + unset( + $_COOKIE['$Version'], + $_COOKIE['$Path'], + $_COOKIE['$Domain'] + ); foreach ($_COOKIE as $key => $val) { @@ -756,7 +758,7 @@ class CI_Input { } // Remove control characters - $str = remove_invisible_characters($str); + $str = remove_invisible_characters($str, FALSE); // Should we filter the input data? if ($this->_enable_xss === TRUE) -- cgit v1.2.3-24-g4f1b