When cleaning input data, set url_encode to be false when removing in…

…visible characters. The $_POST, $_GET, and $_COOKIE variables are not urlencoded, but remove_invisible_characters assume that it is and will remove characters such as "%00" unless the url_encoded parameter is set to false.
veenix · Mar 30, 2012 · 9df2447 · 9df2447 · cwillenbrock · Mar 8, 2013
1 parent 3396d53
commit 9df2447
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/system/core/Input.php b/system/core/Input.php
@@ -530,7 +530,7 @@ protected function _clean_input_data($str)
 		}
 
 		// Remove control characters
-		$str = remove_invisible_characters($str);
+		$str = remove_invisible_characters($str, false);
 
 		// Should we filter the input data?
 		if ($this->_enable_xss === TRUE)