Fix #148
CI_Input::_clean_input_data() assumed that all input data is URL-encoded while sanitizing it.
However, PHP already performs URL-decoding on it, so this is either redudant or overly
intrusive as it resulted in many, many reports of data containing '%' followed by 1 numeric
characters being essentially destroyed.
Supersedes PR #1229
diff --git a/system/core/Input.php b/system/core/Input.php
index ded4621..1648676 100644
--- a/system/core/Input.php
+++ b/system/core/Input.php
@@ -687,9 +687,11 @@
// but that when present will trip our 'Disallowed Key Characters' alarm
// http://www.ietf.org/rfc/rfc2109.txt
// note that the key names below are single quoted strings, and are not PHP variables
- unset($_COOKIE['$Version']);
- unset($_COOKIE['$Path']);
- unset($_COOKIE['$Domain']);
+ unset(
+ $_COOKIE['$Version'],
+ $_COOKIE['$Path'],
+ $_COOKIE['$Domain']
+ );
foreach ($_COOKIE as $key => $val)
{
@@ -756,7 +758,7 @@
}
// Remove control characters
- $str = remove_invisible_characters($str);
+ $str = remove_invisible_characters($str, FALSE);
// Should we filter the input data?
if ($this->_enable_xss === TRUE)
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 49ca395..af9dcb0 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -645,6 +645,7 @@
- Fixed a bug (#2268) - :doc:`Security Library <libraries/security>` didn't properly match JavaScript events.
- Fixed a bug (#2143) - :doc:`Form Validation Library <libraries/form_validation>` didn't check for rule groups named in a *controller/method* manner when trying to load from a config file.
- Fixed a bug (#2762) - :doc:`Hooks Class <general/hooks>` didn't properly check if the called class/function exists.
+- Fixed a bug (#346) - while sanitizing input data, ``CI_Input::_clean_input_data()`` assumed that it is URL-encoded, stripping certain character sequences from it.
Version 2.1.4
=============