/**
* @testdox getDisallowedCharactersInJS() returns a list of strings
*/
public function testGetDisallowedCharactersInJS()
{
$disallowedChars = ContextSafeness::getDisallowedCharactersInJS();
$this->assertInternalType('array', $disallowedChars);
foreach ($disallowedChars as $char) {
$this->assertInternalType('string', $char);
}
}
public function isSafeInCSS()
{
try {
$regexp = RegexpParser::getAllowedCharacterRegexp($this->vars['regexp']);
foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) {
if (\preg_match($regexp, $char)) {
return \false;
}
}
return \true;
} catch (Exception $e) {
return \false;
}
}
public function isSafeInJS()
{
if (!isset($this->vars['map']) || empty($this->vars['strict'])) {
return \false;
}
$disallowedChars = ContextSafeness::getDisallowedCharactersInJS();
foreach ($this->vars['map'] as $value) {
foreach ($disallowedChars as $char) {
if (\strpos($value, $char) !== \false) {
return \false;
}
}
}
return \true;
}
protected function assessSafeness(array $map)
{
$values = \implode('', $map);
$isSafeInCSS = \true;
foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) {
if (\strpos($values, $char) !== \false) {
$isSafeInCSS = \false;
break;
}
}
if ($isSafeInCSS) {
$this->markAsSafeInCSS();
}
$isSafeInJS = \true;
foreach (ContextSafeness::getDisallowedCharactersInJS() as $char) {
if (\strpos($values, $char) !== \false) {
$isSafeInJS = \false;
break;
}
}
if ($isSafeInJS) {
$this->markAsSafeInJS();
}
}
/**
* {@inheritdoc}
*/
public function isSafeInCSS()
{
try {
// Test whether this regexp could allow any character that's disallowed in URLs
$regexp = RegexpParser::getAllowedCharacterRegexp($this->vars['regexp']);
foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) {
if (preg_match($regexp, $char)) {
return false;
}
}
return true;
} catch (Exception $e) {
// If anything unexpected happens, we'll consider this filter is not safe
return false;
}
}
/**
* {@inheritdoc}
*/
public function isSafeInJS()
{
if (!isset($this->vars['map']) || empty($this->vars['strict'])) {
return false;
}
// Test each value against the list of disallowed characters
$disallowedChars = ContextSafeness::getDisallowedCharactersInJS();
foreach ($this->vars['map'] as $value) {
foreach ($disallowedChars as $char) {
if (strpos($value, $char) !== false) {
return false;
}
}
}
return true;
}
/**
* Assess the safeness of given map in contexts
*
* @param array $map
* @return void
*/
protected function assessSafeness(array $map)
{
// Concatenate the values so we can check them as a single string
$values = implode('', $map);
// Test whether the values contain any character that's disallowed in CSS
$isSafeInCSS = true;
foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) {
if (strpos($values, $char) !== false) {
$isSafeInCSS = false;
break;
}
}
if ($isSafeInCSS) {
$this->markAsSafeInCSS();
}
// Test whether the values contain any character that's disallowed in JS
$isSafeInJS = true;
foreach (ContextSafeness::getDisallowedCharactersInJS() as $char) {
if (strpos($values, $char) !== false) {
$isSafeInJS = false;
break;
}
}
if ($isSafeInJS) {
$this->markAsSafeInJS();
}
}