Merge branch 'master' into develop

MGatner · MGatner · commit 8449d13724d4 · 2022-01-10T01:36:11.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # Changelog
 
+## [v4.1.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.7) (2022-01-09)
+
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.6...v4.1.7)
+
+**Breaking Changes**
+
+* fix: replace deprecated FILTER_SANITIZE_STRING by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5555
+
+**Fixed Bugs**
+
+* fix: BaseConnection::getConnectDuration() number_format(): Passing null to parameter by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/5536
+* Fix: Debug toolbar selectors by @iRedds in https://github.com/codeigniter4/CodeIgniter4/pull/5544
+* Fix: Toolbar. ciDebugBar.showTab() context. by @iRedds in https://github.com/codeigniter4/CodeIgniter4/pull/5554
+* Refactor Database Collector display by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/5553
+
 ## [v4.1.6](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.6) (2022-01-03)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.5...v4.1.6)
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -45,7 +45,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.1.6';
+    public const CI_VERSION = '4.1.7';
 
     private const MIN_PHP_VERSION = '7.3';
 
diff --git a/system/Helpers/cookie_helper.php b/system/Helpers/cookie_helper.php
@@ -65,7 +65,7 @@ function get_cookie($index, bool $xssClean = false)
     {
         $prefix  = isset($_COOKIE[$index]) ? '' : config(App::class)->cookiePrefix;
         $request = Services::request();
-        $filter  = $xssClean ? FILTER_SANITIZE_STRING : FILTER_DEFAULT;
+        $filter  = $xssClean ? FILTER_SANITIZE_FULL_SPECIAL_CHARS : FILTER_DEFAULT;
 
         return $request->getCookie($prefix . $index, $filter);
     }
diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.1.7
     v4.1.6
     v4.1.5
     v4.1.4
diff --git a/user_guide_src/source/changelogs/v4.1.7.rst b/user_guide_src/source/changelogs/v4.1.7.rst
@@ -0,0 +1,35 @@
+Version 4.1.7
+#############
+
+Release Date: January 9, 2022
+
+**4.1.7 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+BREAKING
+********
+
+- Because ``FILTER_SANITIZE_STRING`` is deprecated since PHP 8.1, ``get_cookie()`` that uses it when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
+
+Enhancements
+************
+
+none.
+
+Changes
+*******
+
+none.
+
+Deprecations
+************
+
+none.
+
+Bugs Fixed
+**********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
@@ -24,7 +24,7 @@
 version = '4.1'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.1.6'
+release = '4.1.7'
 
 # -- General configuration ---------------------------------------------------
 
diff --git a/user_guide_src/source/helpers/cookie_helper.rst b/user_guide_src/source/helpers/cookie_helper.rst
@@ -53,6 +53,8 @@ The following functions are available:
     the ``$cookiePrefix`` that you might've set in your
     **app/Config/App.php** file.
 
+.. warning:: Using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
+
 .. php:function:: delete_cookie($name[, $domain = ''[, $path = '/'[, $prefix = '']]])
 
     :param string $name: Cookie name
diff --git a/user_guide_src/source/incoming/incomingrequest.rst b/user_guide_src/source/incoming/incomingrequest.rst
@@ -399,15 +399,15 @@ The methods provided by the parent classes that are available are:
         The second optional parameter lets you run the data through the PHP's
         filters. Pass in the desired filter type as the second parameter::
 
-            $request->getVar('some_data', FILTER_SANITIZE_STRING);
+            $request->getVar('some_data', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
         To return an array of all POST items call without any parameters.
 
         To return all POST items and pass them through the filter, set the
         first parameter to null while setting the second parameter to the filter
         you want to use::
 
-            $request->getVar(null, FILTER_SANITIZE_STRING);
+            $request->getVar(null, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
             // returns all POST items with string sanitation
 
         To return an array of multiple POST parameters, pass all the required keys as an array::
@@ -417,7 +417,7 @@ The methods provided by the parent classes that are available are:
         Same rule applied here, to retrieve the parameters with filtering, set the second parameter to
         the filter type to apply::
 
-            $request->getVar(['field1', 'field2'], FILTER_SANITIZE_STRING);
+            $request->getVar(['field1', 'field2'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
 
     .. php:method:: getGet([$index = null[, $filter = null[, $flags = null]]])
 
@@ -489,7 +489,7 @@ The methods provided by the parent classes that are available are:
         This method is identical to ``getPost()`` and ``getGet()``, only it fetches cookie data::
 
             $request->getCookie('some_cookie');
-            $request->getCookie('some_cookie', FILTER_SANITIZE_STRING); // with filter
+            $request->getCookie('some_cookie', FILTER_SANITIZE_FULL_SPECIAL_CHARS); // with filter
 
         To return an array of multiple cookie values, pass all the required keys as an array::
 
diff --git a/user_guide_src/source/installation/upgrade_417.rst b/user_guide_src/source/installation/upgrade_417.rst
@@ -0,0 +1,18 @@
+#############################
+Upgrading from 4.1.6 to 4.1.7
+#############################
+
+Please refer to the upgrade instructions corresponding to your installation method.
+
+- :ref:`Composer Installation App Starter Upgrading <app-starter-upgrading>`
+- :ref:`Composer Installation Adding CodeIgniter4 to an Existing Project Upgrading <adding-codeigniter4-upgrading>`
+- :ref:`Manual Installation Upgrading <installing-manual-upgrading>`
+
+.. contents::
+    :local:
+    :depth: 2
+
+Breaking Changes
+****************
+
+- ``get_cookie()`` when ``$xssClean`` is true changed the output. Now it uses ``FILTER_SANITIZE_FULL_SPECIAL_CHARS``, not ``FILTER_SANITIZE_STRING``. Make sure the change is acceptable or not. Note that using XSS filtering is a bad practice. It does not prevent XSS attacks perfectly. Using ``esc()`` with the correct ``$context`` in the views is recommended.
diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst
@@ -8,6 +8,7 @@ upgrading from.
 .. toctree::
     :titlesonly:
 
+    Upgrading from 4.1.6 to 4.1.7 <upgrade_417>
     Upgrading from 4.1.5 to 4.1.6 <upgrade_416>
     Upgrading from 4.1.4 to 4.1.5 <upgrade_415>
     Upgrading from 4.1.3 to 4.1.4 <upgrade_414>

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ function get_cookie($index, bool $xssClean = false)`
`65`	`65`	`{`
`66`	`66`	`$prefix = isset($_COOKIE[$index]) ? '' : config(App::class)->cookiePrefix;`
`67`	`67`	`$request = Services::request();`
`68`		`- $filter = $xssClean ? FILTER_SANITIZE_STRING : FILTER_DEFAULT;`
	`68`	`+ $filter = $xssClean ? FILTER_SANITIZE_FULL_SPECIAL_CHARS : FILTER_DEFAULT;`
`69`	`69`
`70`	`70`	`return $request->getCookie($prefix . $index, $filter);`
`71`	`71`	`}`