added hyphens to allowed characters in GET keys and vals in submitted URLs in xss_clean()
diff --git a/system/libraries/Input.php b/system/libraries/Input.php
index e7bf727..98f2826 100644
--- a/system/libraries/Input.php
+++ b/system/libraries/Input.php
@@ -554,7 +554,7 @@
// 901119URL5918AMP18930PROTECT8198
- $str = preg_replace('|\&([a-z\_0-9]+)\=([a-z\_0-9]+)|i', $this->xss_hash()."\\1=\\2", $str);
+ $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash()."\\1=\\2", $str);
/*
* Validate standard character entities
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 89d779e..c8f16fa 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -83,6 +83,7 @@
<li>Fixed a bug in the Form Validation library where fields passed as rule parameters were not being translated (#9132)</li>
<li>Switched some DIR_WRITE_MODE constant uses to FILE_WRITE_MODE where files and not directories are being operated on.</li>
<li>Modified inflector helper to properly pluralize words that end in 'ch' or 'sh'</li>
+ <li>Fixed a bug in xss_clean() that was not allowing hyphens in query strings of submitted URLs.</li>
</ul>
<h2>Version 1.7.2</h2>