|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace AlgoWeb\PODataLaravel\Controllers; |
|
4
|
|
|
|
|
5
|
|
|
use AlgoWeb\PODataLaravel\Serialisers\IronicSerialiser; |
|
6
|
|
|
use Carbon\Carbon; |
|
7
|
|
|
use Illuminate\Http\Request; |
|
8
|
|
|
use Illuminate\Http\Response; |
|
9
|
|
|
use AlgoWeb\PODataLaravel\Controllers\Controller as BaseController; |
|
10
|
|
|
use Illuminate\Support\Facades\App; |
|
11
|
|
|
use Illuminate\Support\Facades\DB; |
|
12
|
|
|
use Illuminate\Support\Facades\Storage; |
|
13
|
|
|
use POData\OperationContext\ServiceHost as ServiceHost; |
|
14
|
|
|
use POData\SimpleDataService as DataService; |
|
15
|
|
|
use POData\OperationContext\Web\Illuminate\IlluminateOperationContext as OperationContextAdapter; |
|
16
|
|
|
use voku\helper\AntiXSS; |
|
17
|
|
|
|
|
18
|
|
|
class ODataController extends BaseController |
|
19
|
|
|
{ |
|
20
|
|
|
/** |
|
21
|
|
|
* Display a listing of the resource. |
|
22
|
|
|
* |
|
23
|
|
|
* @return \Illuminate\Http\Response |
|
24
|
|
|
*/ |
|
25
|
|
|
public function index(Request $request) |
|
26
|
|
|
{ |
|
27
|
|
|
$dump = $this->getIsDumping(); |
|
28
|
|
|
$dryRun = $this->getIsDryRun(); |
|
29
|
|
|
$commitCall = $dryRun ? 'rollBack' : 'commit'; |
|
30
|
|
|
|
|
31
|
|
|
try { |
|
32
|
|
|
DB::beginTransaction(); |
|
33
|
|
|
$context = new OperationContextAdapter($request); |
|
34
|
|
|
$host = new ServiceHost($context, $request); |
|
35
|
|
|
$host->setServiceUri('/odata.svc/'); |
|
36
|
|
|
|
|
37
|
|
|
$query = App::make('odataquery'); |
|
38
|
|
|
$meta = App::make('metadata'); |
|
39
|
|
|
|
|
40
|
|
|
$service = new DataService($query, $meta, $host); |
|
41
|
|
|
$cereal = new IronicSerialiser($service, null); |
|
42
|
|
|
$service = new DataService($query, $meta, $host, $cereal); |
|
43
|
|
|
$service->handleRequest(); |
|
44
|
|
|
|
|
45
|
|
|
$odataResponse = $context->outgoingResponse(); |
|
46
|
|
|
|
|
47
|
|
|
if (true === $dump) { |
|
48
|
|
|
// iff XTest header is set, containing class and method name |
|
49
|
|
|
// dump outgoing odataResponse, metadata, and incoming request |
|
50
|
|
|
$xTest = $request->header('XTest'); |
|
51
|
|
|
$date = Carbon::now(0); |
|
52
|
|
|
$timeString = $date->toTimeString(); |
|
53
|
|
|
$xTest = (null !== $xTest) ? $xTest |
|
54
|
|
|
: $request->method() . ';' . str_replace('/', '-', $request->path()) . ';' . $timeString . ';'; |
|
55
|
|
|
if (null != $xTest) { |
|
56
|
|
|
$reflectionClass = new \ReflectionClass('Illuminate\Http\Request'); |
|
57
|
|
|
$reflectionProperty = $reflectionClass->getProperty('userResolver'); |
|
58
|
|
|
$reflectionProperty->setAccessible(true); |
|
59
|
|
|
$reflectionProperty->setValue($request, null); |
|
60
|
|
|
$reflectionProperty = $reflectionClass->getProperty('routeResolver'); |
|
61
|
|
|
$reflectionProperty->setAccessible(true); |
|
62
|
|
|
$reflectionProperty->setValue($request, null); |
|
63
|
|
|
$cerealRequest = serialize($request); |
|
64
|
|
|
$cerealMeta = serialize($meta); |
|
65
|
|
|
$cerealResponse = serialize($odataResponse); |
|
66
|
|
|
Storage::put($xTest . 'request', $cerealRequest); |
|
67
|
|
|
Storage::put($xTest . 'metadata', $cerealMeta); |
|
68
|
|
|
Storage::put($xTest . 'response', $cerealResponse); |
|
69
|
|
|
} |
|
70
|
|
|
} |
|
71
|
|
|
|
|
72
|
|
|
$content = $odataResponse->getStream(); |
|
73
|
|
|
|
|
74
|
|
|
$headers = $odataResponse->getHeaders(); |
|
75
|
|
|
$responseCode = $headers[\POData\Common\ODataConstants::HTTPRESPONSE_HEADER_STATUS_CODE]; |
|
76
|
|
|
$responseCode = isset($responseCode) ? intval($responseCode) : 200; |
|
77
|
|
|
$response = new Response($content, $responseCode); |
|
|
|
|
|
|
78
|
|
|
$response->setStatusCode($headers['Status']); |
|
79
|
|
|
|
|
80
|
|
|
foreach ($headers as $headerName => $headerValue) { |
|
81
|
|
|
if (!is_null($headerValue)) { |
|
82
|
|
|
$response->headers->set($headerName, $headerValue); |
|
83
|
|
|
} |
|
84
|
|
|
} |
|
85
|
|
|
DB::$commitCall(); |
|
86
|
|
|
} catch (\Exception $e) { |
|
87
|
|
|
DB::rollBack(); |
|
88
|
|
|
throw $e; |
|
89
|
|
|
} |
|
90
|
|
|
return $response; |
|
91
|
|
|
} |
|
92
|
|
|
|
|
93
|
|
|
/** |
|
94
|
|
|
* @return bool |
|
95
|
|
|
*/ |
|
96
|
|
|
protected function getIsDumping() |
|
|
|
|
|
|
97
|
|
|
{ |
|
98
|
|
|
$configDump = env('APP_DUMP_REQUESTS', false); |
|
99
|
|
|
return true === $configDump; |
|
100
|
|
|
} |
|
101
|
|
|
|
|
102
|
|
|
/** |
|
103
|
|
|
* Is application dry-running (ie, not committing) non-READ requests? |
|
104
|
|
|
* |
|
105
|
|
|
* @return bool |
|
106
|
|
|
*/ |
|
107
|
|
|
protected function getIsDryRun() |
|
|
|
|
|
|
108
|
|
|
{ |
|
109
|
|
|
$configDump = env('APP_DRY_RUN', false); |
|
110
|
|
|
return true === $configDump; |
|
111
|
|
|
} |
|
112
|
|
|
} |
|
113
|
|
|
|
Algo-Web /
POData-Laravel
Loading history...
$contentcan contain request data and is used in output context(s) leading to a potential security vulnerability.9 paths for user data to reach this point
HTTP_HOSTfrom$_SERVERin src/POData/OperationContext/SimpleRequestAdapter.php on line 23HTTP_HOSTfrom$_SERVERin vendor/src/POData/OperationContext/SimpleRequestAdapter.php on line 23
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
$this->parameters['HTTP_AUTHORIZATION']seems to return tainted data, and$authorizationHeaderis assigned in ServerBag.php on line 62$this->parameters['HTTP_AUTHORIZATION']seems to return tainted data, and$authorizationHeaderis assignedin vendor/ServerBag.php on line 62
in vendor/ServerBag.php on line 77
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
$_POST,and$_POSTis passed to Request::createRequestFromFactory() in Request.php on line 317$_POST,and$_POSTis passed to Request::createRequestFromFactory()in vendor/Request.php on line 317
$requestis passed to Request::__construct()in vendor/Request.php on line 2052
$requestis passed to Request::initialize()in vendor/Request.php on line 258
$requestis passed to ParameterBag::__construct()in vendor/Request.php on line 276
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
$_SERVER,and$serveris assigned in Request.php on line 307$_SERVER,and$serveris assignedin vendor/Request.php on line 307
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 317
$serveris passed to Request::__construct()in vendor/Request.php on line 2052
$serveris passed to Request::initialize()in vendor/Request.php on line 258
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 281
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
HTTP_CONTENT_LENGTHfrom$_SERVER,and$serveris assigned in Request.php on line 310HTTP_CONTENT_LENGTHfrom$_SERVER,and$serveris assignedin vendor/Request.php on line 310
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 317
$serveris passed to Request::__construct()in vendor/Request.php on line 2052
$serveris passed to Request::initialize()in vendor/Request.php on line 258
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 281
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
HTTP_CONTENT_TYPEfrom$_SERVER,and$serveris assigned in Request.php on line 313HTTP_CONTENT_TYPEfrom$_SERVER,and$serveris assignedin vendor/Request.php on line 313
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 317
$serveris passed to Request::__construct()in vendor/Request.php on line 2052
$serveris passed to Request::initialize()in vendor/Request.php on line 258
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 281
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
$server['HTTP_HOST']seems to return tainted data, and$serveris assigned in Request.php on line 383$server['HTTP_HOST']seems to return tainted data, and$serveris assignedin vendor/Request.php on line 383
$serveris assignedin vendor/Request.php on line 431
$serveris assignedin vendor/Request.php on line 432
$serveris passed to Request::createRequestFromFactory()in vendor/Request.php on line 434
$serveris passed to Request::__construct()in vendor/Request.php on line 2052
$serveris passed to Request::initialize()in vendor/Request.php on line 258
$serveris passed to ParameterBag::__construct()in vendor/Request.php on line 281
in vendor/ParameterBag.php on line 35
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
$this->parameters['PHP_AUTH_USER']seems to return tainted data, and$headersis assigned in ServerBag.php on line 43$this->parameters['PHP_AUTH_USER']seems to return tainted data, and$headersis assignedin vendor/ServerBag.php on line 43
$headersis assignedin vendor/ServerBag.php on line 44
$this->server->getHeaders()is passed to HeaderBag::__construct()in vendor/Request.php on line 282
$valuesis assignedin vendor/HeaderBag.php on line 31
$valuesis passed to HeaderBag::set()in vendor/HeaderBag.php on line 32
(array) $valuesis passed through array_values(), and$valuesis assignedin vendor/HeaderBag.php on line 143
in vendor/HeaderBag.php on line 146
in vendor/HeaderBag.php on line 67
$headersis assignedin vendor/HeaderBag.php on line 115
$requestUriis assignedin vendor/Request.php on line 1822
$requestUriis passed to ParameterBag::set()in vendor/Request.php on line 1853
in vendor/ParameterBag.php on line 99
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
$this->parameters['PHP_AUTH_PW']seems to return tainted data, and$headersis assigned in ServerBag.php on line 44$this->parameters['PHP_AUTH_PW']seems to return tainted data, and$headersis assignedin vendor/ServerBag.php on line 44
$this->server->getHeaders()is passed to HeaderBag::__construct()in vendor/Request.php on line 282
$valuesis assignedin vendor/HeaderBag.php on line 31
$valuesis passed to HeaderBag::set()in vendor/HeaderBag.php on line 32
(array) $valuesis passed through array_values(), and$valuesis assignedin vendor/HeaderBag.php on line 143
in vendor/HeaderBag.php on line 146
in vendor/HeaderBag.php on line 67
$headersis assignedin vendor/HeaderBag.php on line 115
$requestUriis assignedin vendor/Request.php on line 1822
$requestUriis passed to ParameterBag::set()in vendor/Request.php on line 1853
in vendor/ParameterBag.php on line 99
in vendor/ParameterBag.php on line 88
in vendor/Request.php on line 1022
$portis assignedin vendor/Request.php on line 1085
in vendor/Request.php on line 1118
in vendor/Request.php on line 1134
$this->getUri()is passed through preg_replace(), andpreg_replace('/\\?.*/', '', $this->getUri())is passed through rtrim()in vendor/src/Illuminate/Http/Request.php on line 99
in vendor/src/Illuminate/Http/Request.php on line 113
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73
in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75
in vendor/src/POData/OperationContext/ServiceHost.php on line 120
$this->absoluteRequestUriAsStringis passed to Url::__construct()in vendor/src/POData/OperationContext/ServiceHost.php on line 123
in vendor/src/POData/Common/Url.php on line 53
in vendor/src/POData/Common/Url.php on line 63
in vendor/src/POData/ObjectModel/CynicSerialiser.php on line 492
$this->absoluteServiceUriis passed through rtrim(), and ODataURL::$url is assignedin vendor/src/POData/ObjectModel/CynicSerialiser.php on line 327
$url->urlis passed to JsonWriter::writeValue()in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 105
$valueis passed to JsonWriter::writeCore()in vendor/src/POData/Writers/Json/JsonWriter.php on line 124
$textis passed to IndentedTextWriter::writeValue()in vendor/src/POData/Writers/Json/JsonWriter.php on line 217
$valueis passed to IndentedTextWriter::write()in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143
in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122
in vendor/src/POData/Writers/Json/JsonWriter.php on line 258
in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 431
$responseBodyis assignedin vendor/src/POData/Common/ErrorHandler.php on line 62
$responseBodyis passed to OutgoingResponse::setStream()in vendor/src/POData/Common/ErrorHandler.php on line 65
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 197
in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 187
$contentis assignedin src/Controllers/ODataController.php on line 72
Used in output context
in vendor/Response.php on line 201
in vendor/Response.php on line 402
in vendor/Response.php on line 361
Preventing Cross-Site-Scripting Attacks
Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user.
In order to prevent this, make sure to escape all user-provided data:
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); }For numeric data, we recommend to explicitly cast the data: