Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-03 07:13:59 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,959 Commits 1 Branch 74 Tags
f9418db57fd94e1265141aa44097370ec2ff8f9a
Commit Graph

25 Commits

Author SHA1 Message Date
Matt Pass
f9418db57f Check if string is strict UTF8 and if not encode 
Handles other ISO formatted filetypes this way
 2015-07-30 19:19:55 +01:00
Matt Pass
67d44e56bb Don't set cookie_path or use strict mode 
Using cookie_path on IE has an issue and causes session, then CSRF
issues
Stop using strict_mode as causes a problem on some setups
Add notes to these and httponly re IE and PHP version
 2015-04-25 11:53:53 +01:00
Matt Pass
d320bb7172 Format tweak only 2015-04-25 10:50:00 +01:00
Andrey Grinenko
8f1cca087b session fixation fix - previous version did not let me in, because it regenerated session before even trying to start old one and check whether it is valid or not. 
I've also added session regeneration on login, which is good practice to prevent session fixation.
 2015-02-21 02:58:44 +03:00
Matt Pass
9cb89463bb Missing ] 2015-01-26 09:10:23 +00:00
Matt Pass
3a48fd9cdd $docRoot not always available 2015-01-25 14:08:19 +00:00
Matt Pass
c4bba758c7 Get path from root plus up 1 dir 2015-01-25 14:04:20 +00:00
Matt Pass
47263bdbed Redone session params 
No longer using session_start_safe() function because it caused more
usage problems than it solved. Setting a load of new params now to give
a much better setup.
 2015-01-23 08:24:20 +00:00
Martin Naumann
4a1ba5dfe3 Using reworked version from @mattpass 2014-12-01 19:44:21 +01:00
Martin Naumann
6861fa9ced Re-adding the session_cookie_params 2014-12-01 19:43:07 +01:00
Martin N.
29857e7d70 Using a custom session_start_safe 
This fixes path issues, where the session directory ends up not writeable.
 2014-12-01 16:45:49 +01:00
Martin Naumann
36b20938b7 Using httpOnly session cookie 2014-12-01 10:34:13 +01:00
Matt Pass
5ce3a9912c Bad URL on logout and die to go no further 
Location shouldn't contain the dirname of the file or a loggedOut param
(with no CSRF!) - all unnecessary and causes problems
Also add a die() after the header location to go no further.
 2014-11-26 10:02:33 +00:00
Matt Pass
505f5b35c7 Only use if we have text available & logout fix 2014-11-26 09:33:10 +00:00
Matt Pass
9ea459787e Polyfill added for array_replace_recursive 
This is natively available in PHP 5.3+
 2014-10-24 09:23:52 +01:00
Matt Pass
a029eceb9d Set session_save_path & fix logout URL 
Some hosts have a loop around issue with no session being available
after a header location redirect
After much research, I've found this is due to some hosts not having a
session save path and it needs to be set using PHP
Setting this means ICEcoder works on those few hosts
Fix to bad URL on logout
 2014-09-29 10:55:46 +01:00
Matt Pass
0d4ca6a483 Final language replacement placeholders 2014-08-21 14:29:11 +01:00
Matt Pass
8ec0d518ad Largely adjusted XSS protection 
Adjusted to match that implemented by Ashar Javed
(https://twitter.com/soaj1664ashar, demo:
http://xssplaygroundforfunandlearn.netai.net/final.html). Was
unbreakable against 78k XSS attempts, so seems very solid
 2014-06-27 11:22:32 +01:00
Matt Pass
a470daf9f5 No need for other chars to be replaced 
Impossible to output an XSS without < or > alone
 2014-05-03 14:13:48 +01:00
Matt Pass
75885aecf5 strClean now replaces javascript: 
htmlentities doesn't cover : and str_replace on : is too vague
regex is case insensitive
 2014-04-26 12:25:12 +01:00
Matt Pass
9a2881cd7b Remove comma 2014-04-24 12:10:17 +01:00
Matt Pass
c88d4f46e3 Rewrite of xssClean function to be neater 2014-04-23 07:41:30 +01:00
Matt Pass
d6a7db8f3e xssClean function added 
Had 4 different contexts, the first 2 alter parts of strings, the last 2
remove those parts
 2014-04-22 08:05:40 +01:00
Matt Pass
6030e9a4ca This is now set, in headers.php 2014-04-18 17:59:27 +01:00
Matt Pass
03c0842ba2 Common settings/functions now in own file 2014-01-11 15:14:04 +00:00