Distilleries /
Security
@@ -169,7 +169,7 @@ discard block |
||
| 169 | 169 | // do the long opening tags. |
| 170 | 170 | $str = preg_replace('/<\?(php)/i', "<?\\1", $str); |
| 171 | 171 | } else { |
| 172 | - $str = str_replace(['<?', '?' . '>'], ['<?', '?>'], $str); |
|
| 172 | + $str = str_replace(['<?', '?'.'>'], ['<?', '?>'], $str); |
|
| 173 | 173 | } |
| 174 | 174 | |
| 175 | 175 | /* |
@@ -195,12 +195,12 @@ discard block |
||
| 195 | 195 | $temp = ''; |
| 196 | 196 | |
| 197 | 197 | for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++) { |
| 198 | - $temp .= substr($word, $i, 1) . "\s*"; |
|
| 198 | + $temp .= substr($word, $i, 1)."\s*"; |
|
| 199 | 199 | } |
| 200 | 200 | |
| 201 | 201 | // We only want to do this when it is followed by a non-word character |
| 202 | 202 | // That way valid stuff like "dealer to" does not become "dealerto" |
| 203 | - $str = preg_replace_callback('#(' . substr($temp, 0, -3) . ')(\W)#is', [$this, '_compact_exploded_words'], $str); |
|
| 203 | + $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', [$this, '_compact_exploded_words'], $str); |
|
| 204 | 204 | } |
| 205 | 205 | |
| 206 | 206 | /* |
@@ -240,7 +240,7 @@ discard block |
||
| 240 | 240 | * Becomes: <blink> |
| 241 | 241 | */ |
| 242 | 242 | $naughty = 'alert|applet|audio|basefont|base|behavior|bgsound|blink|body|embed|expression|form|frameset|frame|head|html|ilayer|iframe|input|isindex|layer|link|meta|object|plaintext|style|script|textarea|title|video|xml|xss'; |
| 243 | - $str = preg_replace_callback('#<(/*\s*)(' . $naughty . ')([^><]*)([><]*)#is', [$this, '_sanitize_naughty_html'], $str); |
|
| 243 | + $str = preg_replace_callback('#<(/*\s*)('.$naughty.')([^><]*)([><]*)#is', [$this, '_sanitize_naughty_html'], $str); |
|
| 244 | 244 | |
| 245 | 245 | /* |
| 246 | 246 | * Sanitize naughty scripting elements |
@@ -315,7 +315,7 @@ discard block |
||
| 315 | 315 | |
| 316 | 316 | do { |
| 317 | 317 | $str = preg_replace( |
| 318 | - "#<(/?[^><]+?)([^A-Za-z\-])(" . implode('|', $evil_attributes) . ")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i", |
|
| 318 | + "#<(/?[^><]+?)([^A-Za-z\-])(".implode('|', $evil_attributes).")(\s*=\s*)([\"][^>]*?[\"]|[\'][^>]*?[\']|[^>]*?)([\s><])([><]*)#i", |
|
| 319 | 319 | "<$1$6", |
| 320 | 320 | $str, -1, $count |
| 321 | 321 | ); |
@@ -389,17 +389,17 @@ discard block |
||
| 389 | 389 | '?', |
| 390 | 390 | "%20", |
| 391 | 391 | "%22", |
| 392 | - "%3c", // < |
|
| 393 | - "%253c", // < |
|
| 394 | - "%3e", // > |
|
| 395 | - "%0e", // > |
|
| 396 | - "%28", // ( |
|
| 397 | - "%29", // ) |
|
| 398 | - "%2528", // ( |
|
| 399 | - "%26", // & |
|
| 400 | - "%24", // $ |
|
| 401 | - "%3f", // ? |
|
| 402 | - "%3b", // ; |
|
| 392 | + "%3c", // < |
|
| 393 | + "%253c", // < |
|
| 394 | + "%3e", // > |
|
| 395 | + "%0e", // > |
|
| 396 | + "%28", // ( |
|
| 397 | + "%29", // ) |
|
| 398 | + "%2528", // ( |
|
| 399 | + "%26", // & |
|
| 400 | + "%24", // $ |
|
| 401 | + "%3f", // ? |
|
| 402 | + "%3b", // ; |
|
| 403 | 403 | "%3d" // = |
| 404 | 404 | ]; |
| 405 | 405 | |
@@ -426,7 +426,7 @@ discard block |
||
| 426 | 426 | */ |
| 427 | 427 | protected function _compact_exploded_words($matches) |
| 428 | 428 | { |
| 429 | - return preg_replace('/\s+/s', '', $matches[1]) . $matches[2]; |
|
| 429 | + return preg_replace('/\s+/s', '', $matches[1]).$matches[2]; |
|
| 430 | 430 | } |
| 431 | 431 | |
| 432 | 432 | // -------------------------------------------------------------------- |
@@ -442,7 +442,7 @@ discard block |
||
| 442 | 442 | protected function _sanitize_naughty_html($matches) |
| 443 | 443 | { |
| 444 | 444 | // encode opening brace |
| 445 | - $str = '<' . $matches[1] . $matches[2] . $matches[3]; |
|
| 445 | + $str = '<'.$matches[1].$matches[2].$matches[3]; |
|
| 446 | 446 | |
| 447 | 447 | // encode captured opening or closing brace to prevent recursive vectors |
| 448 | 448 | $str .= str_replace(['>', '<'], ['>', '<'], |
@@ -574,7 +574,7 @@ discard block |
||
| 574 | 574 | |
| 575 | 575 | // 901119URL5918AMP18930PROTECT8198 |
| 576 | 576 | |
| 577 | - $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash() . "\\1=\\2", $str); |
|
| 577 | + $str = preg_replace('|\&([a-z\_0-9\-]+)\=([a-z\_0-9\-]+)|i', $this->xss_hash()."\\1=\\2", $str); |
|
| 578 | 578 | |
| 579 | 579 | /* |
| 580 | 580 | * Validate standard character entities |
@@ -612,7 +612,7 @@ discard block |
||
| 612 | 612 | $str = str_replace(array_keys($this->_never_allowed_str), $this->_never_allowed_str, $str); |
| 613 | 613 | |
| 614 | 614 | foreach ($this->_never_allowed_regex as $regex) { |
| 615 | - $str = preg_replace('#' . $regex . '#is', '[removed]', $str); |
|
| 615 | + $str = preg_replace('#'.$regex.'#is', '[removed]', $str); |
|
| 616 | 616 | } |
| 617 | 617 | |
| 618 | 618 | return $str; |
@@ -627,11 +627,11 @@ discard block |
||
| 627 | 627 | // carriage return (dec 13), and horizontal tab (dec 09) |
| 628 | 628 | |
| 629 | 629 | if ($url_encoded) { |
| 630 | - $non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15 |
|
| 631 | - $non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31 |
|
| 630 | + $non_displayables[] = '/%0[0-8bcef]/'; // url encoded 00-08, 11, 12, 14, 15 |
|
| 631 | + $non_displayables[] = '/%1[0-9a-f]/'; // url encoded 16-31 |
|
| 632 | 632 | } |
| 633 | 633 | |
| 634 | - $non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127 |
|
| 634 | + $non_displayables[] = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S'; // 00-08, 11, 12, 14-31, 127 |
|
| 635 | 635 | |
| 636 | 636 | do { |
| 637 | 637 | $str = preg_replace($non_displayables, '', $str, -1, $count); |
@@ -14,11 +14,11 @@ |
||
| 14 | 14 | { |
| 15 | 15 | |
| 16 | 16 | $this->publishes([ |
| 17 | - __DIR__ . '/../../config/config.php' => config_path('security.php'), |
|
| 17 | + __DIR__.'/../../config/config.php' => config_path('security.php'), |
|
| 18 | 18 | ]); |
| 19 | 19 | |
| 20 | 20 | $this->mergeConfigFrom( |
| 21 | - __DIR__ . '/../../config/config.php', 'security' |
|
| 21 | + __DIR__.'/../../config/config.php', 'security' |
|
| 22 | 22 | ); |
| 23 | 23 | |
| 24 | 24 | |
@@ -24,7 +24,7 @@ |
||
| 24 | 24 | $config->set('Cache.DefinitionImpl', null); |
| 25 | 25 | //$config->set('HTML.SafeIframe', true); |
| 26 | 26 | |
| 27 | - array_walk_recursive($input, function (&$input) use ($config) { |
|
| 27 | + array_walk_recursive($input, function(&$input) use ($config) { |
|
| 28 | 28 | if (config('security.html_purifier')) { |
| 29 | 29 | $input = (new \HTMLPurifier($config))->purify($input); |
| 30 | 30 | } |
@@ -1,6 +1,6 @@ |
||
| 1 | 1 | <?php |
| 2 | 2 | |
| 3 | 3 | return [ |
| 4 | - 'xss_enable'=> env('SECURITY_XSS_ENABLE',true), |
|
| 5 | - 'html_purifier'=> env('SECURITY_HTML_PURIFIER_ENABLE',true) |
|
| 4 | + 'xss_enable'=> env('SECURITY_XSS_ENABLE', true), |
|
| 5 | + 'html_purifier'=> env('SECURITY_HTML_PURIFIER_ENABLE', true) |
|
| 6 | 6 | ]; |
| 7 | 7 | \ No newline at end of file |
