simplified regex for _remove_invisible_characters() - since we rawurldecode() the string, there's no need to go looking for url encoded characters here
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 5f47909..a2f1d00 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -829,12 +829,11 @@
if ( ! isset($non_displayables))
{
// every control character except newline (10), carriage return (13), and horizontal tab (09),
- // both as a URL encoded character (::shakes fist at IE and WebKit::), and the actual character
$non_displayables = array(
- '/%0[0-8]/', '/[\x00-\x08]/', // 00-08
- '/%11/', '/\x0b/', '/%12/', '/\x0c/', // 11, 12
- '/%1[4-9]/', '/%2[0-9]/', '/%3[0-1]/', // url encoded 14-31
- '/[\x0e-\x1f]/'); // 14-31
+ '/[\x00-\x08]/', // 00-08
+ '/\x0b/', '/\x0c/', // 11, 12
+ '/[\x0e-\x1f]/' // 14-31
+ );
}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 8149b7c..6697856 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -63,7 +63,11 @@
SVN Revision: XXXX</p>
<ul>
- <li>No significant changes yet</li>
+ <li>Other changes
+ <ul>
+ <li>Improved performance and accuracy of xss_clean() (no changes to security)</li>
+ </ul>
+ </li>
</ul>
<h3>Bug fixes for 1.6.4</h3>