From 21c3c22320a10d32054b251b24e5b1e569ddeabf Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Thu, 4 Dec 2014 12:10:00 +0200 Subject: [ci skip] Update on the changes from PR #3388 - Fixed a broken link - Added missing notes about deprecations in the upgrade instructions - Improved consistency with other deprecation notices in the docs --- user_guide_src/source/installation/upgrade_300.rst | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) (limited to 'user_guide_src/source/installation/upgrade_300.rst') diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 81340e6ad..ef85106b7 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -331,11 +331,14 @@ Usage of the ``EXT`` constant has been deprecated since dropping support for PHP longer a need to maintain different filename extensions and in this new CodeIgniter version, the ``EXT`` constant has been removed. Use just '.php' instead. -Smiley helper js_insert_smiley() -================================ +Smiley helper +============= -:doc:`Smiley Helper <../helpers/smiley_helper>` function ``js_insert_smiley()`` has been deprecated -since CodeIgniter 1.7.2 and is now removed. You'll need to switch to ``smiley_js()`` instead. +The :doc:`Smiley Helper <../helpers/smiley_helper>` is a legacy feature from EllisLab's +ExpressionEngine product. However, it is too specific for a general purpose framework like +CodeIgniter and as such it is now deprecated. + +Also, the previously deprecated ``js_insert_smiley()`` (since version 1.7.2) is now removed. The Encrypt library =================== @@ -355,6 +358,16 @@ implemented cryptographic functions. .. important:: You are strongly encouraged to switch to the new :doc:`Encryption Library <../libraries/encryption>` as soon as possible! +The Cart library +================ + +The :doc:`Cart Library <../libraries/cart>`, similarly to the :doc:`Smiley Helper +<../helpers/smiley_helper>` is too specific for CodeIgniter. It is now deprecated +and scheduled for removal in CodeIgniter 3.1+. + +.. note:: The library is still available, but you're strongly encouraged to remove its usage sooner + rather than later. + Database drivers 'mysql', 'sqlite', 'mssql', 'pdo/dblib' ======================================================== -- cgit v1.2.3-24-g4f1b From bfa233f559a50ee0674a209fa56f866edc814fd9 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 5 Dec 2014 12:00:11 +0200 Subject: Further changes related to issue #47, PR #3323 - Removed a test that was created specifically for the 'convert programmatic characters to entities' feature. - Changed filter_uri() to accept by reference and to not return anything as its only purpose now is to trigger a show_error() call. - Added changelog messages and updated the upgrade instructions. --- user_guide_src/source/installation/upgrade_300.rst | 28 +++++++++++++++++----- 1 file changed, 22 insertions(+), 6 deletions(-) (limited to 'user_guide_src/source/installation/upgrade_300.rst') diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index ef85106b7..2e9ee4e72 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -223,8 +223,24 @@ Otherwise however, please review your usage of the following functions: ``$_COOKIE`` and ``$_SERVER`` superglobals are no longer automatically overwritten when global XSS filtering is turned on. +************************************************* +Step 12: Check for potential XSS issues with URIs +************************************************* + +The :doc:`URI Library <../libraries/uri>` used to automatically convert +a certain set of "programmatic characters" to HTML entities when they +are encountered in a URI segment. + +This was aimed at providing some automatic XSS prodection, in addition +to the ``$config['permitted_uri_chars']`` setting, but has proven to be +problematic and is now removed in CodeIgniter 3.0. + +If your application has relied on this feature, you should update it to +filter URI segments through ``$this->security->xss_clean()`` whenever you +output them. + ******************************************************** -Step 12: Update usage of Input Class's get_post() method +Step 13: Update usage of Input Class's get_post() method ******************************************************** Previously, the :doc:`Input Class <../libraries/input>` method ``get_post()`` @@ -235,14 +251,14 @@ A method has been added, ``post_get()``, which searches in POST then in GET, as ``get_post()`` was doing before. *********************************************************************** -Step 13: Update usage of Directory Helper's directory_map() function +Step 14: Update usage of Directory Helper's directory_map() function *********************************************************************** In the resulting array, directories now end with a trailing directory separator (i.e. a slash, usually). ************************************************************* -Step 14: Update usage of Database Forge's drop_table() method +Step 15: Update usage of Database Forge's drop_table() method ************************************************************* Up until now, ``drop_table()`` added an IF EXISTS clause by default or it didn't work @@ -264,7 +280,7 @@ If your application relies on IF EXISTS, you'll have to change its usage. all drivers with the exception of ODBC. *********************************************************** -Step 15: Change usage of Email library with multiple emails +Step 16: Change usage of Email library with multiple emails *********************************************************** The :doc:`Email Library <../libraries/email>` will automatically clear the @@ -279,7 +295,7 @@ pass FALSE as the first parameter in the ``send()`` method: } *************************************************** -Step 16: Update your Form_validation language lines +Step 17: Update your Form_validation language lines *************************************************** Two improvements have been made to the :doc:`Form Validation Library @@ -310,7 +326,7 @@ files and error messages format: later. **************************************************************** -Step 17: Remove usage of (previously) deprecated functionalities +Step 18: Remove usage of (previously) deprecated functionalities **************************************************************** In addition to the ``$autoload['core']`` configuration setting, there's a -- cgit v1.2.3-24-g4f1b From d5d4623f7f619c574c4b37b0e17e7fb76371ef59 Mon Sep 17 00:00:00 2001 From: albertleao Date: Tue, 16 Dec 2014 10:49:27 -0500 Subject: Fixed typo --- user_guide_src/source/installation/upgrade_300.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'user_guide_src/source/installation/upgrade_300.rst') diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 2e9ee4e72..549adfe6b 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -231,7 +231,7 @@ The :doc:`URI Library <../libraries/uri>` used to automatically convert a certain set of "programmatic characters" to HTML entities when they are encountered in a URI segment. -This was aimed at providing some automatic XSS prodection, in addition +This was aimed at providing some automatic XSS protection, in addition to the ``$config['permitted_uri_chars']`` setting, but has proven to be problematic and is now removed in CodeIgniter 3.0. -- cgit v1.2.3-24-g4f1b From 0823ed197254fbab0e6ceb0d0a9f237b315b313b Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Sat, 20 Dec 2014 00:40:03 +0200 Subject: [ci skip] Add missing upgrade step from 2.1.4 to 2.2.0 in the docs --- user_guide_src/source/installation/upgrade_300.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'user_guide_src/source/installation/upgrade_300.rst') diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 549adfe6b..0aaadeebc 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -1,5 +1,5 @@ ############################# -Upgrading from 2.1.4 to 3.0.0 +Upgrading from 2.2.0 to 3.0.0 ############################# .. note:: These upgrade notes are for a version that is yet to be released. -- cgit v1.2.3-24-g4f1b From 40651ebf5e29fd4a17be2cd338e8d501d41b66b1 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 5 Jan 2015 17:23:13 +0200 Subject: Remove CI_Form_validation::xss_clean() More details in the commit diff itself, and here: https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/683#issuecomment-66598821 --- user_guide_src/source/installation/upgrade_300.rst | 37 +++++++++++++++++----- 1 file changed, 29 insertions(+), 8 deletions(-) (limited to 'user_guide_src/source/installation/upgrade_300.rst') diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 0aaadeebc..a95125666 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -239,8 +239,29 @@ If your application has relied on this feature, you should update it to filter URI segments through ``$this->security->xss_clean()`` whenever you output them. +**************************************************************** +Step 13: Check for usage of the 'xss_clean' Form validation rule +**************************************************************** + +A largely unknown rule about XSS cleaning is that it should *only be +applied to output*, as opposed to input data. + +We've made that mistake ourselves with our automatic and global XSS cleaning +feature (see step 13 above), so now in an effort to discourage that +practice, we're also removing 'xss_clean' from the officially supported +list of :doc:`form validation <../libraries/form_validation>` rules. + +Because the :doc:`Form Validation library <../libraries/form_validation>` +generally validates *input* data, the 'xss_clean' rule simply doesn't +belong in it. + +If you really, really need to apply that rule, you should now also load the +:doc:`Security Helper <../helpers/security_helper>`, which contains +``xss_clean()`` as a regular function and therefore can be also used as +a validation rule. + ******************************************************** -Step 13: Update usage of Input Class's get_post() method +Step 14: Update usage of Input Class's get_post() method ******************************************************** Previously, the :doc:`Input Class <../libraries/input>` method ``get_post()`` @@ -250,15 +271,15 @@ modified so that it searches in GET then in POST, as its name suggests. A method has been added, ``post_get()``, which searches in POST then in GET, as ``get_post()`` was doing before. -*********************************************************************** -Step 14: Update usage of Directory Helper's directory_map() function -*********************************************************************** +******************************************************************** +Step 15: Update usage of Directory Helper's directory_map() function +******************************************************************** In the resulting array, directories now end with a trailing directory separator (i.e. a slash, usually). ************************************************************* -Step 15: Update usage of Database Forge's drop_table() method +Step 16: Update usage of Database Forge's drop_table() method ************************************************************* Up until now, ``drop_table()`` added an IF EXISTS clause by default or it didn't work @@ -280,7 +301,7 @@ If your application relies on IF EXISTS, you'll have to change its usage. all drivers with the exception of ODBC. *********************************************************** -Step 16: Change usage of Email library with multiple emails +Step 17: Change usage of Email library with multiple emails *********************************************************** The :doc:`Email Library <../libraries/email>` will automatically clear the @@ -295,7 +316,7 @@ pass FALSE as the first parameter in the ``send()`` method: } *************************************************** -Step 17: Update your Form_validation language lines +Step 18: Update your Form_validation language lines *************************************************** Two improvements have been made to the :doc:`Form Validation Library @@ -326,7 +347,7 @@ files and error messages format: later. **************************************************************** -Step 18: Remove usage of (previously) deprecated functionalities +Step 19: Remove usage of (previously) deprecated functionalities **************************************************************** In addition to the ``$autoload['core']`` configuration setting, there's a -- cgit v1.2.3-24-g4f1b From 2b5682d4f39f7d16ce47e2f45ea19ffab615cc60 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 5 Jan 2015 21:02:52 +0200 Subject: [ci skip] Fix improper wording in upgrade notes --- user_guide_src/source/installation/upgrade_300.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'user_guide_src/source/installation/upgrade_300.rst') diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index a95125666..c84d16b31 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -247,7 +247,7 @@ A largely unknown rule about XSS cleaning is that it should *only be applied to output*, as opposed to input data. We've made that mistake ourselves with our automatic and global XSS cleaning -feature (see step 13 above), so now in an effort to discourage that +feature (see previous step about XSS above), so now in an effort to discourage that practice, we're also removing 'xss_clean' from the officially supported list of :doc:`form validation <../libraries/form_validation>` rules. -- cgit v1.2.3-24-g4f1b