CEscaper::escapeCSS() - Code Metrics - Sceluswe/XSS-Escaper - Measure and Improve Code Quality continuously with Scrutinizer

CEscaper::escapeCSS() A
last analyzed 2016-04-20 19:08 UTC

↳ Parent: CEscaper

Complexity

Conditions	1
Paths	1

Size

Total Lines	8
Code Lines	5

Duplication

Lines	8
Ratio	100 %

Code Coverage

Tests	5
CRAP Score	1

Metric	Value
dl	8
loc	8
ccs	5
cts	5
cp	1
rs	9.4285
cc	1
eloc	5
nc	1
nop	1
crap	1

<?php

namespace Scelus\Escaper;

/*
* All functions are based on the recommendations in the 
* XSS (Cross Site Scripting) Prevention Cheat Sheet:
* https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
* 
*/
class CEscaper
{
	private $CHARSET;

	public function __construct($encoding = 'UTF-8') {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
		isset($_SESSION['escaper_charset']) 
			? $this->CHARSET = $_SESSION['escaper_charset'] 
			: $_SESSION['escaper_charset'] = $encoding;
			
		$this->CHARSET = $_SESSION['escaper_charset'];
	}

	/** Sets the used charset for the esacpeHTML and escapeXML function.
	*
	* @param $value, the string/value to escape.
	*
	*/
	public function setEncoding($value) {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
		$_SESSION['escaper_charset'] = strip_tags($value);
		$this->CHARSET = $_SESSION['escaper_charset'];
	}

	/** Returns the used charset for the esacpeHTML and escapeXML function.
	*
	* @return the current charset as a string.
	*/
	public function getEncoding() {
		return $this->CHARSET;
	}

	/** Escapes HTML string using htmlspecialchars().
	*
	* @param $string, the untrusted string to escape.
	*
	* @return $result, escaped string.

	*/
	public function escapeHTML($value) {
		$result = htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, $this->CHARSET);
		$result = preg_replace('/[\/]/', '&#x2F;', $result);
		
		return $result;
	}

	/** Escapes non-alphanumeric characters in an untrusted string for HTML attribute values.
	*
	* @param $string, the untrusted string to escape.
	*
	* @return $result, escaped string.

	*/
	public function escapeHTMLattr($value) {

		$result = preg_replace_callback("/[\W]/", function($matches) {
			return "&#x" . bin2hex($matches[0]) . ";";
		}, 
		$value);
		return $result;
	}

	/** Escapes non-alphanumeric characters in an untrusted string for JS input values.
	*
	* @param $string, the untrusted string to escape.
	*
	* @return $result, escaped string.

	*/
	public function escapeJs($value) {

		$result = preg_replace_callback("/[\W]/", function($matches) {
			return "\\x" . bin2hex($matches[0]);
		}, 
		$value);

		return $result;
	}

	/** Escapes non-alphanumeric characters in an untrusted string for CSS input values.
	*
	* @param $string, the untrusted string to escape.
	*
	* @return $result, escaped string.

	*/
	public function escapeCSS($value) {

		$result = preg_replace_callback("/[\W]/", function($matches) {
			return "\\" . bin2hex($matches[0]) . " ";
		}, 
		$value);

		return $result;
	}

	/** Escapes data that is to be inserted in a URL not the whole URL itself.
	* 
	* @param $string, the untrusted string to escape.
	*
	* @return, escaped string.
	*/
	public function escapeUrl($value) {
		return rawurlencode($value);
	}

	/**
	* Aliases to HTML functions for semantic value.
	* XML escaping is identical to HTML escaping.
	*/
	public function escapeXml($value) {
		return $this->escapeHTML($value);
	}

	public function escapeXmlAttr($value) {
		return $this->escapeHTMLattr($value);
	}
}


1			<?php
2
3			namespace Scelus\Escaper;
4
5			/*
6			* All functions are based on the recommendations in the
7			* XSS (Cross Site Scripting) Prevention Cheat Sheet:
8			* https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
9			*
10			*/
11			class CEscaper
12			{
13			private $CHARSET;
14
15	9		public function __construct($encoding = 'UTF-8') {
			0 ignored issues – show Coding Style introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report `__construct` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
16	9		isset($_SESSION['escaper_charset'])
17	9		? $this->CHARSET = $_SESSION['escaper_charset']
18	9		: $_SESSION['escaper_charset'] = $encoding;
19
20	9		$this->CHARSET = $_SESSION['escaper_charset'];
21	9		}
22
23			/** Sets the used charset for the esacpeHTML and escapeXML function.
24			*
25			* @param $value, the string/value to escape.
26			*
27			*/
28	1		public function setEncoding($value) {
			0 ignored issues – show Coding Style introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report `setEncoding` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
29	1		$_SESSION['escaper_charset'] = strip_tags($value);
30	1		$this->CHARSET = $_SESSION['escaper_charset'];
31	1		}
32
33			/** Returns the used charset for the esacpeHTML and escapeXML function.
34			*
35			* @return the current charset as a string.
36			*/
37	2		public function getEncoding() {
38	2		return $this->CHARSET;
39			}
40
41			/** Escapes HTML string using htmlspecialchars().
42			*
43			* @param $string, the untrusted string to escape.
44			*
45			* @return $result, escaped string.
			0 ignored issues – show Documentation introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report The doc-type `$result,` could not be parsed: Unknown type name "$result" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
46			*/
47	2		public function escapeHTML($value) {
48	2		$result = htmlspecialchars($value, ENT_QUOTES \| ENT_SUBSTITUTE, $this->CHARSET);
49	2		$result = preg_replace('/[\/]/', '/', $result);
50
51	2		return $result;
52			}
53
54			/** Escapes non-alphanumeric characters in an untrusted string for HTML attribute values.
55			*
56			* @param $string, the untrusted string to escape.
57			*
58			* @return $result, escaped string.
			0 ignored issues – show Documentation introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report The doc-type `$result,` could not be parsed: Unknown type name "$result" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
59			*/
60	2	View Code Duplication	public function escapeHTMLattr($value) {
			0 ignored issues – show Duplication introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
61			$result = preg_replace_callback("/[\W]/", function($matches) {
62	2		return "&#x" . bin2hex($matches[0]) . ";";
63	2		},
64	2		$value);
65	2		return $result;
66			}
67
68			/** Escapes non-alphanumeric characters in an untrusted string for JS input values.
69			*
70			* @param $string, the untrusted string to escape.
71			*
72			* @return $result, escaped string.
			0 ignored issues – show Documentation introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report The doc-type `$result,` could not be parsed: Unknown type name "$result" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
73			*/
74	1	View Code Duplication	public function escapeJs($value) {
			0 ignored issues – show Duplication introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
75			$result = preg_replace_callback("/[\W]/", function($matches) {
76	1		return "\\x" . bin2hex($matches[0]);
77	1		},
78	1		$value);
79
80	1		return $result;
81			}
82
83			/** Escapes non-alphanumeric characters in an untrusted string for CSS input values.
84			*
85			* @param $string, the untrusted string to escape.
86			*
87			* @return $result, escaped string.
			0 ignored issues – show Documentation introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report The doc-type `$result,` could not be parsed: Unknown type name "$result" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
88			*/
89		View Code Duplication	public function escapeCSS($value) {
			0 ignored issues – show Duplication introduced 2016-04-18 19:03 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
90	1		$result = preg_replace_callback("/[\W]/", function($matches) {
91	1		return "\\" . bin2hex($matches[0]) . " ";
92	1		},
93	1		$value);
94
95	1		return $result;
96			}
97
98			/** Escapes data that is to be inserted in a URL not the whole URL itself.
99			*
100			* @param $string, the untrusted string to escape.
101			*
102			* @return, escaped string.
103			*/
104	1		public function escapeUrl($value) {
105	1		return rawurlencode($value);
106			}
107
108			/**
109			* Aliases to HTML functions for semantic value.
110			* XML escaping is identical to HTML escaping.
111			*/
112	1		public function escapeXml($value) {
113	1		return $this->escapeHTML($value);
114			}
115
116	1		public function escapeXmlAttr($value) {
117	1		return $this->escapeHTMLattr($value);
118			}
119			}
120

Sceluswe / XSS-Escaper

GitHub Access Token became invalid

CEscaper::escapeCSS() A last analyzed 2016-04-20 19:08 UTC

Complexity

Size

Duplication

Code Coverage

Duplication Side-by-Side

Filter issues like

CEscaper::escapeCSS() A
last analyzed 2016-04-20 19:08 UTC