diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d333c153241..23c77082242e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,20 @@ # Changelog +## [v4.1.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.7) (2022-01-09) + +[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.6...v4.1.7) + +**Breaking Changes** + +* fix: replace deprecated FILTER_SANITIZE_STRING by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5555 + +**Fixed Bugs** + +* fix: BaseConnection::getConnectDuration() number_format(): Passing null to parameter by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5536 +* Fix: Debug toolbar selectors by @iRedds in https://github.com/codeigniter4/CodeIgniter4/pull/5544 +* Fix: Toolbar. ciDebugBar.showTab() context. by @iRedds in https://github.com/codeigniter4/CodeIgniter4/pull/5554 +* Refactor Database Collector display by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/5553 + ## [v4.1.6](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.6) (2022-01-03) [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.5...v4.1.6) diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php index bcce77f1f853..ed4e500466f6 100644 --- a/system/CodeIgniter.php +++ b/system/CodeIgniter.php @@ -45,7 +45,7 @@ class CodeIgniter /** * The current version of CodeIgniter Framework */ - public const CI_VERSION = '4.1.6'; + public const CI_VERSION = '4.1.7'; private const MIN_PHP_VERSION = '7.3'; diff --git a/system/Helpers/cookie_helper.php b/system/Helpers/cookie_helper.php index e47a86356dbf..51a746c5395b 100755 --- a/system/Helpers/cookie_helper.php +++ b/system/Helpers/cookie_helper.php @@ -65,7 +65,7 @@ function get_cookie($index, bool $xssClean = false) { $prefix = isset($_COOKIE[$index]) ? '' : config(App::class)->cookiePrefix; $request = Services::request(); - $filter = $xssClean ? FILTER_SANITIZE_STRING : FILTER_DEFAULT; + $filter = $xssClean ? FILTER_SANITIZE_FULL_SPECIAL_CHARS : FILTER_DEFAULT; return $request->getCookie($prefix . $index, $filter); } diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst index 8a54083777d3..74e782cb3508 100644 --- a/user_guide_src/source/changelogs/index.rst +++ b/user_guide_src/source/changelogs/index.rst @@ -12,6 +12,7 @@ See all the changes. .. toctree:: :titlesonly: + v4.1.7 v4.1.6 v4.1.5 v4.1.4 diff --git a/user_guide_src/source/changelogs/v4.1.7.rst b/user_guide_src/source/changelogs/v4.1.7.rst new file mode 100644 index 000000000000..5c9d07357858 --- /dev/null +++ b/user_guide_src/source/changelogs/v4.1.7.rst @@ -0,0 +1,35 @@ +Version 4.1.7 +############# + +Release Date: January 9, 2022 + +**4.1.7 release of CodeIgniter4** + +.. contents:: + :local: + :depth: 2 + +BREAKING +******** + +- Because ``FILTER_SANITIZE_STRING`` is deprecated since PHP 8.1, ``get_cookie()`` that uses it when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended. + +Enhancements +************ + +none. + +Changes +******* + +none. + +Deprecations +************ + +none. + +Bugs Fixed +********** + +See the repo's `CHANGELOG.md `_ for a complete list of bugs fixed. diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 0d5246a4aaaa..60a34e9c178b 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -24,7 +24,7 @@ version = '4.1' # The full version, including alpha/beta/rc tags. -release = '4.1.6' +release = '4.1.7' # -- General configuration --------------------------------------------------- diff --git a/user_guide_src/source/helpers/cookie_helper.rst b/user_guide_src/source/helpers/cookie_helper.rst index 33b4e5e7b66c..be6bde64d61e 100755 --- a/user_guide_src/source/helpers/cookie_helper.rst +++ b/user_guide_src/source/helpers/cookie_helper.rst @@ -53,6 +53,8 @@ The following functions are available: the ``$cookiePrefix`` that you might've set in your **app/Config/App.php** file. +.. warning:: Using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended. + .. php:function:: delete_cookie($name[, $domain = ''[, $path = '/'[, $prefix = '']]]) :param string $name: Cookie name diff --git a/user_guide_src/source/incoming/incomingrequest.rst b/user_guide_src/source/incoming/incomingrequest.rst index fe6c26909aed..46ebd35b4bf9 100644 --- a/user_guide_src/source/incoming/incomingrequest.rst +++ b/user_guide_src/source/incoming/incomingrequest.rst @@ -399,7 +399,7 @@ The methods provided by the parent classes that are available are: The second optional parameter lets you run the data through the PHP's filters. Pass in the desired filter type as the second parameter:: - $request->getVar('some_data', FILTER_SANITIZE_STRING); + $request->getVar('some_data', FILTER_SANITIZE_FULL_SPECIAL_CHARS); To return an array of all POST items call without any parameters. @@ -407,7 +407,7 @@ The methods provided by the parent classes that are available are: first parameter to null while setting the second parameter to the filter you want to use:: - $request->getVar(null, FILTER_SANITIZE_STRING); + $request->getVar(null, FILTER_SANITIZE_FULL_SPECIAL_CHARS); // returns all POST items with string sanitation To return an array of multiple POST parameters, pass all the required keys as an array:: @@ -417,7 +417,7 @@ The methods provided by the parent classes that are available are: Same rule applied here, to retrieve the parameters with filtering, set the second parameter to the filter type to apply:: - $request->getVar(['field1', 'field2'], FILTER_SANITIZE_STRING); + $request->getVar(['field1', 'field2'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); .. php:method:: getGet([$index = null[, $filter = null[, $flags = null]]]) @@ -489,7 +489,7 @@ The methods provided by the parent classes that are available are: This method is identical to ``getPost()`` and ``getGet()``, only it fetches cookie data:: $request->getCookie('some_cookie'); - $request->getCookie('some_cookie', FILTER_SANITIZE_STRING); // with filter + $request->getCookie('some_cookie', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // with filter To return an array of multiple cookie values, pass all the required keys as an array:: diff --git a/user_guide_src/source/installation/upgrade_417.rst b/user_guide_src/source/installation/upgrade_417.rst new file mode 100644 index 000000000000..fd5c3cf80543 --- /dev/null +++ b/user_guide_src/source/installation/upgrade_417.rst @@ -0,0 +1,18 @@ +############################# +Upgrading from 4.1.6 to 4.1.7 +############################# + +Please refer to the upgrade instructions corresponding to your installation method. + +- :ref:`Composer Installation App Starter Upgrading ` +- :ref:`Composer Installation Adding CodeIgniter4 to an Existing Project Upgrading ` +- :ref:`Manual Installation Upgrading ` + +.. contents:: + :local: + :depth: 2 + +Breaking Changes +**************** + +- ``get_cookie()`` when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``, not ``FILTER_SANITIZE_STRING``. Make sure the change is acceptable or not. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended. diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index 771392d8f81a..d142117ba7b9 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -8,6 +8,7 @@ upgrading from. .. toctree:: :titlesonly: + Upgrading from 4.1.6 to 4.1.7 Upgrading from 4.1.5 to 4.1.6 Upgrading from 4.1.4 to 4.1.5 Upgrading from 4.1.3 to 4.1.4