simplified regex for _remove_invisible_characters() - since we rawurldecode() the string, there's no need to go looking for url encoded characters here
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index 5f47909..a2f1d00 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -829,12 +829,11 @@
if ( ! isset($non_displayables))
{
// every control character except newline (10), carriage return (13), and horizontal tab (09),
- // both as a URL encoded character (::shakes fist at IE and WebKit::), and the actual character
$non_displayables = array(
- '/%0[0-8]/', '/[\x00-\x08]/', // 00-08
- '/%11/', '/\x0b/', '/%12/', '/\x0c/', // 11, 12
- '/%1[4-9]/', '/%2[0-9]/', '/%3[0-1]/', // url encoded 14-31
- '/[\x0e-\x1f]/'); // 14-31
+ '/[\x00-\x08]/', // 00-08
+ '/\x0b/', '/\x0c/', // 11, 12
+ '/[\x0e-\x1f]/' // 14-31
+ );
}