CodeIgniter 1.6.3 Maintenance and Security Release

[eluser]Seppo[/eluser]
Derek,
I'm sure that what we can gain by not using benchmark or hooks is not much, but i was comparing that with "the overhead of an additional function call to avoid code duplication"... and the BM class has 5 function calls and the hooks 8 (besides loading)

And the the repeated code is not much, as you pointed (I would add the db_set_charset call to the extracted segment), but it's easier to read and mantain. =)

[eluser]Derek Jones[/eluser]

but i was comparing that with “the overhead of an additional function call to avoid code duplication"

Touché :-D Incidentally, I couldn't avoid the fun test while drinking my tea. Eliminating Benchmarking and Hooks in CodeIgniter for Speed Improvement

(I would add the db_set_charset call to the extracted segment)

You'd still need a parent conditional, though, since we don't want to directly return the return value of the abstracted method; further processing is required. So either the original conditional must stay, or a new one testing the return value of the abstracted method.

[eluser]Seppo[/eluser]
[quote author="Derek Jones" date="1214693147"]since we don't want to directly return the return value of the abstracted method[/quote]Are you sure? The first time it does return TRUE/FALSE, and the second time returns FALSE if fails and it does not return anything (the block) is succeed, but the next line returns TRUE so... I believe I DO want to directly return the return value.

It's great to know that you are also having fun with this =)

[eluser]Derek Jones[/eluser]
Indeed you are correct, for some reason I was thinking that we still logged a message before returning TRUE.

[eluser]Seppo[/eluser]
Going back to the CI 1.6.3 release... is there any reason why the online user guide points to svn user guide and not the released one? Take a look http://ellislab.com/codeigniter/user-gui...gelog.html

[eluser]Derek Jones[/eluser]
I don't follow Seppo, what links are going to the svn instead of http://ellislab.com/codeigniter/user-guide/ ?

[eluser]Seppo[/eluser]
I go to that URL and I see the changelog for 1.6.4 version

Change Log

Version 1.6.4
Release Date: In development
SVN Revision: XXXX

No significant changes yet
Other changes
Documented the language file use of byte_format() in the number helper.
Bug fixes for 1.6.4

Fixed a double opening <p> tag in the index pages of each system directory.

[eluser]Derek Jones[/eluser]
Ah, D'Allard had started that list in the SVN but we ended up doing a quick export of 1.6.3 with a few insignificant changes. Swooped in for a some cleanup.

[eluser]Bramme[/eluser]
is there a way of viewing what files exactly got changed from 1.6.2 to 1.6.3? I'm being lazy and don't feel like checking all config files that got overwritten by standard ones :p

[eluser]stensi[/eluser]
Hi Derek. Back on the XSS vulnerability issue, are there any plans on implementing an XSS Clean check for PDF files? or is it already capable of this?

The latest version of browsers don't appear to be vulnerable (at least from my tests) but users still using IE6 are affected.

Article discussing XSS vulnerabilities in IE6 and the reason for its vulnerability.

If you view the Hello World PDF example XSS file in IE7 or FireFox it will display the "Hello World" PDF file as normal, but if viewed with IE6 it will execute the XSS due to the reasons explained in the above article.

I've tested CodeIgniters xss_clean both normally, and with the is_image flag on, on the Hello World PDF example XSS file. The first returns clean and the second that it is dirty (is the is_image flag intended to be used with PDF's as well?). However, I ran a clean PDF through it and it returned the same results (clean and dirty).

I tested the xss_clean, with the is_image flag on, on the sample XSS image and the XSS was of course detected

Note: For those wanting to test in the older versions of IE, I've found Multiple IE a useful choice.