/** * @testdox getDisallowedCharactersInJS() returns a list of strings */ public function testGetDisallowedCharactersInJS() { $disallowedChars = ContextSafeness::getDisallowedCharactersInJS(); $this->assertInternalType('array', $disallowedChars); foreach ($disallowedChars as $char) { $this->assertInternalType('string', $char); } }
public function isSafeInCSS() { try { $regexp = RegexpParser::getAllowedCharacterRegexp($this->vars['regexp']); foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) { if (\preg_match($regexp, $char)) { return \false; } } return \true; } catch (Exception $e) { return \false; } }
public function isSafeInJS() { if (!isset($this->vars['map']) || empty($this->vars['strict'])) { return \false; } $disallowedChars = ContextSafeness::getDisallowedCharactersInJS(); foreach ($this->vars['map'] as $value) { foreach ($disallowedChars as $char) { if (\strpos($value, $char) !== \false) { return \false; } } } return \true; }
protected function assessSafeness(array $map) { $values = \implode('', $map); $isSafeInCSS = \true; foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) { if (\strpos($values, $char) !== \false) { $isSafeInCSS = \false; break; } } if ($isSafeInCSS) { $this->markAsSafeInCSS(); } $isSafeInJS = \true; foreach (ContextSafeness::getDisallowedCharactersInJS() as $char) { if (\strpos($values, $char) !== \false) { $isSafeInJS = \false; break; } } if ($isSafeInJS) { $this->markAsSafeInJS(); } }
/** * {@inheritdoc} */ public function isSafeInCSS() { try { // Test whether this regexp could allow any character that's disallowed in URLs $regexp = RegexpParser::getAllowedCharacterRegexp($this->vars['regexp']); foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) { if (preg_match($regexp, $char)) { return false; } } return true; } catch (Exception $e) { // If anything unexpected happens, we'll consider this filter is not safe return false; } }
/** * {@inheritdoc} */ public function isSafeInJS() { if (!isset($this->vars['map']) || empty($this->vars['strict'])) { return false; } // Test each value against the list of disallowed characters $disallowedChars = ContextSafeness::getDisallowedCharactersInJS(); foreach ($this->vars['map'] as $value) { foreach ($disallowedChars as $char) { if (strpos($value, $char) !== false) { return false; } } } return true; }
/** * Assess the safeness of given map in contexts * * @param array $map * @return void */ protected function assessSafeness(array $map) { // Concatenate the values so we can check them as a single string $values = implode('', $map); // Test whether the values contain any character that's disallowed in CSS $isSafeInCSS = true; foreach (ContextSafeness::getDisallowedCharactersInCSS() as $char) { if (strpos($values, $char) !== false) { $isSafeInCSS = false; break; } } if ($isSafeInCSS) { $this->markAsSafeInCSS(); } // Test whether the values contain any character that's disallowed in JS $isSafeInJS = true; foreach (ContextSafeness::getDisallowedCharactersInJS() as $char) { if (strpos($values, $char) !== false) { $isSafeInJS = false; break; } } if ($isSafeInJS) { $this->markAsSafeInJS(); } }