diff options
| author | Andy Staudacher <andy.st@gmail.com> | 2009-09-04 10:11:42 -0700 | 
|---|---|---|
| committer | Andy Staudacher <andy.st@gmail.com> | 2009-09-04 10:11:42 -0700 | 
| commit | c453c0ef8239bc79e484dd3feb9e275e942e9d48 (patch) | |
| tree | 1c2253016c217462df2cb87fc74fcfff497bac7a /system/core/utf8/substr.php | |
| parent | 1ffb5b24dff439b4a3e9e7f2df3af1a0f8e9e5a0 (diff) | |
Simplifying SafeString a bit: From a XSS HTML security point of view, treat clean() and purify() the same.
No longer run a safe HTML string through the HTML purifier (since it's already marked as safe).
This also addresses the issue of calling purify() when no purifier is installed. In that case, we'd run clean() on a clean string (double HTML encoding).
If this approach doesn't work out, we can still modify the fallback code of purify() to check if the string is already clean before calling clean() instead of purify().
Diffstat (limited to 'system/core/utf8/substr.php')
0 files changed, 0 insertions, 0 deletions
