/** * gets/returns the value of a specific key of the session * * @param mixed $key Usually a string, right ? * @return mixed the key's value or nothing */ public static function get($key) { if (isset($_SESSION[$key])) { $value = $_SESSION[$key]; // filter the value for XSS vulnerabilities return Filter::XSSFilter($value); } }
/** * gets/returns the value of a specific key of the session * * @param mixed $key Usually a string, right ? * @return mixed the key's value or nothing */ public static function get($key) { if (isset($_SESSION[$key])) { if (is_string($_SESSION[$key])) { // filter the value for XSS vulnerabilities Filter::XSSFilter($_SESSION[$key]); return $_SESSION[$key]; } else { return $_SESSION[$key]; } } }
/** * gets/returns the value of a specific key of the session * * @param mixed $key Usually a string, right ? * @return mixed the key's value or nothing */ public static function get($key) { if (isset($_SESSION[$key])) { if (is_string($_SESSION[$key])) { // filter the value for XSS vulnerabilities if ($key == "Error-text") { // Error-text is formatted, but set by the server. It is exempt from processing, which mangles it. return $_SESSION[$key]; } Filter::XSSFilter($_SESSION[$key]); return $_SESSION[$key]; } else { return $_SESSION[$key]; } } }
/** * When argument contains bad code the encoded (and therefore un-dangerous) string should be returned */ public function testXSSFilterWithBadCode() { $codeBefore = "Hello <script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>"; $codeAfter = "Hello <script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>"; $this->assertEquals($codeAfter, Filter::XSSFilter($codeBefore)); }