Sceluswe /
XSS-Escaper
@@ -23,10 +23,10 @@ discard block |
||
| 23 | 23 | } |
| 24 | 24 | |
| 25 | 25 | /** Sets the used charset for the esacpeHTML and escapeXML function. |
| 26 | - * |
|
| 27 | - * @param $value, the string/value to escape. |
|
| 28 | - * |
|
| 29 | - */ |
|
| 26 | + * |
|
| 27 | + * @param $value, the string/value to escape. |
|
| 28 | + * |
|
| 29 | + */ |
|
| 30 | 30 | public function setEncoding($value) |
| 31 | 31 | { |
| 32 | 32 | $_SESSION['escaper_charset'] = strip_tags($value); |
@@ -34,20 +34,20 @@ discard block |
||
| 34 | 34 | } |
| 35 | 35 | |
| 36 | 36 | /** Returns the used charset for the esacpeHTML and escapeXML function. |
| 37 | - * |
|
| 38 | - * @return the current charset as a string. |
|
| 39 | - */ |
|
| 37 | + * |
|
| 38 | + * @return the current charset as a string. |
|
| 39 | + */ |
|
| 40 | 40 | public function getEncoding() |
| 41 | 41 | { |
| 42 | 42 | return $this->CHARSET; |
| 43 | 43 | } |
| 44 | 44 | |
| 45 | 45 | /** Escapes HTML string using htmlspecialchars(). |
| 46 | - * |
|
| 47 | - * @param $string, the untrusted string to escape. |
|
| 48 | - * |
|
| 49 | - * @return $result, escaped string. |
|
| 50 | - */ |
|
| 46 | + * |
|
| 47 | + * @param $string, the untrusted string to escape. |
|
| 48 | + * |
|
| 49 | + * @return $result, escaped string. |
|
| 50 | + */ |
|
| 51 | 51 | public function escapeHTML($value) |
| 52 | 52 | { |
| 53 | 53 | $result = htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, $this->CHARSET); |
@@ -57,11 +57,11 @@ discard block |
||
| 57 | 57 | } |
| 58 | 58 | |
| 59 | 59 | /** Escapes non-alphanumeric characters in an untrusted string for HTML attribute values. |
| 60 | - * |
|
| 61 | - * @param $string, the untrusted string to escape. |
|
| 62 | - * |
|
| 63 | - * @return $result, escaped string. |
|
| 64 | - */ |
|
| 60 | + * |
|
| 61 | + * @param $string, the untrusted string to escape. |
|
| 62 | + * |
|
| 63 | + * @return $result, escaped string. |
|
| 64 | + */ |
|
| 65 | 65 | public function escapeHTMLattr($value) |
| 66 | 66 | { |
| 67 | 67 | $result = preg_replace_callback("/[\W]/", function ($matches){ |
@@ -73,11 +73,11 @@ discard block |
||
| 73 | 73 | } |
| 74 | 74 | |
| 75 | 75 | /** Escapes non-alphanumeric characters in an untrusted string for JS input values. |
| 76 | - * |
|
| 77 | - * @param $string, the untrusted string to escape. |
|
| 78 | - * |
|
| 79 | - * @return $result, escaped string. |
|
| 80 | - */ |
|
| 76 | + * |
|
| 77 | + * @param $string, the untrusted string to escape. |
|
| 78 | + * |
|
| 79 | + * @return $result, escaped string. |
|
| 80 | + */ |
|
| 81 | 81 | public function escapeJs($value) |
| 82 | 82 | { |
| 83 | 83 | $result = preg_replace_callback("/[\W]/", function ($matches){ |
@@ -89,11 +89,11 @@ discard block |
||
| 89 | 89 | } |
| 90 | 90 | |
| 91 | 91 | /** Escapes non-alphanumeric characters in an untrusted string for CSS input values. |
| 92 | - * |
|
| 93 | - * @param $string, the untrusted string to escape. |
|
| 94 | - * |
|
| 95 | - * @return $result, escaped string. |
|
| 96 | - */ |
|
| 92 | + * |
|
| 93 | + * @param $string, the untrusted string to escape. |
|
| 94 | + * |
|
| 95 | + * @return $result, escaped string. |
|
| 96 | + */ |
|
| 97 | 97 | public function escapeCSS($value) |
| 98 | 98 | { |
| 99 | 99 | $result = preg_replace_callback("/[\W]/", function ($matches){ |
@@ -105,20 +105,20 @@ discard block |
||
| 105 | 105 | } |
| 106 | 106 | |
| 107 | 107 | /** Escapes data that is to be inserted in a URL not the whole URL itself. |
| 108 | - * |
|
| 109 | - * @param $string, the untrusted string to escape. |
|
| 110 | - * |
|
| 111 | - * @return, escaped string. |
|
| 112 | - */ |
|
| 108 | + * |
|
| 109 | + * @param $string, the untrusted string to escape. |
|
| 110 | + * |
|
| 111 | + * @return, escaped string. |
|
| 112 | + */ |
|
| 113 | 113 | public function escapeUrl($value) |
| 114 | 114 | { |
| 115 | 115 | return rawurlencode($value); |
| 116 | 116 | } |
| 117 | 117 | |
| 118 | 118 | /** |
| 119 | - * Aliases to HTML functions for semantic value. |
|
| 120 | - * XML escaping is identical to HTML escaping. |
|
| 121 | - */ |
|
| 119 | + * Aliases to HTML functions for semantic value. |
|
| 120 | + * XML escaping is identical to HTML escaping. |
|
| 121 | + */ |
|
| 122 | 122 | public function escapeXml($value) |
| 123 | 123 | { |
| 124 | 124 | return $this->escapeHTML($value); |
@@ -64,7 +64,7 @@ discard block |
||
| 64 | 64 | */ |
| 65 | 65 | public function escapeHTMLattr($value) |
| 66 | 66 | { |
| 67 | - $result = preg_replace_callback("/[\W]/", function ($matches){ |
|
| 67 | + $result = preg_replace_callback("/[\W]/", function($matches) { |
|
| 68 | 68 | return "&#x" . bin2hex($matches[0]) . ";"; |
| 69 | 69 | }, |
| 70 | 70 | $value); |
@@ -80,7 +80,7 @@ discard block |
||
| 80 | 80 | */ |
| 81 | 81 | public function escapeJs($value) |
| 82 | 82 | { |
| 83 | - $result = preg_replace_callback("/[\W]/", function ($matches){ |
|
| 83 | + $result = preg_replace_callback("/[\W]/", function($matches) { |
|
| 84 | 84 | return "\\x" . bin2hex($matches[0]); |
| 85 | 85 | }, |
| 86 | 86 | $value); |
@@ -96,7 +96,7 @@ discard block |
||
| 96 | 96 | */ |
| 97 | 97 | public function escapeCSS($value) |
| 98 | 98 | { |
| 99 | - $result = preg_replace_callback("/[\W]/", function ($matches){ |
|
| 99 | + $result = preg_replace_callback("/[\W]/", function($matches) { |
|
| 100 | 100 | return "\\" . bin2hex($matches[0]) . " "; |
| 101 | 101 | }, |
| 102 | 102 | $value); |
@@ -25,6 +25,7 @@ discard block |
||
| 25 | 25 | /** Sets the used charset for the esacpeHTML and escapeXML function. |
| 26 | 26 | * |
| 27 | 27 | * @param $value, the string/value to escape. |
| 28 | + * @param string $value |
|
| 28 | 29 | * |
| 29 | 30 | */ |
| 30 | 31 | public function setEncoding($value) |
@@ -35,7 +36,7 @@ discard block |
||
| 35 | 36 | |
| 36 | 37 | /** Returns the used charset for the esacpeHTML and escapeXML function. |
| 37 | 38 | * |
| 38 | - * @return the current charset as a string. |
|
| 39 | + * @return string current charset as a string. |
|
| 39 | 40 | */ |
| 40 | 41 | public function getEncoding() |
| 41 | 42 | { |
@@ -75,6 +76,7 @@ discard block |
||
| 75 | 76 | /** Escapes non-alphanumeric characters in an untrusted string for JS input values. |
| 76 | 77 | * |
| 77 | 78 | * @param $string, the untrusted string to escape. |
| 79 | + * @param string $value |
|
| 78 | 80 | * |
| 79 | 81 | * @return $result, escaped string. |
| 80 | 82 | */ |
@@ -91,6 +93,7 @@ discard block |
||
| 91 | 93 | /** Escapes non-alphanumeric characters in an untrusted string for CSS input values. |
| 92 | 94 | * |
| 93 | 95 | * @param $string, the untrusted string to escape. |
| 96 | + * @param string $value |
|
| 94 | 97 | * |
| 95 | 98 | * @return $result, escaped string. |
| 96 | 99 | */ |
@@ -107,6 +110,7 @@ discard block |
||
| 107 | 110 | /** Escapes data that is to be inserted in a URL not the whole URL itself. |
| 108 | 111 | * |
| 109 | 112 | * @param $string, the untrusted string to escape. |
| 113 | + * @param string $value |
|
| 110 | 114 | * |
| 111 | 115 | * @return, escaped string. |
| 112 | 116 | */ |
@@ -118,12 +122,16 @@ discard block |
||
| 118 | 122 | /** |
| 119 | 123 | * Aliases to HTML functions for semantic value. |
| 120 | 124 | * XML escaping is identical to HTML escaping. |
| 125 | + * @param string $value |
|
| 121 | 126 | */ |
| 122 | 127 | public function escapeXml($value) |
| 123 | 128 | { |
| 124 | 129 | return $this->escapeHTML($value); |
| 125 | 130 | } |
| 126 | 131 | |
| 132 | + /** |
|
| 133 | + * @param string $value |
|
| 134 | + */ |
|
| 127 | 135 | public function escapeXmlAttr($value) |
| 128 | 136 | { |
| 129 | 137 | return $this->escapeHTMLattr($value); |
@@ -13,30 +13,30 @@ |
||
| 13 | 13 | */ |
| 14 | 14 | spl_autoload_register(function ($class) { |
| 15 | 15 | |
| 16 | - // project-specific namespace prefix |
|
| 17 | - //$prefix = 'Foo\\Bar\\'; |
|
| 18 | - $prefix = 'Scelus\\'; |
|
| 16 | + // project-specific namespace prefix |
|
| 17 | + //$prefix = 'Foo\\Bar\\'; |
|
| 18 | + $prefix = 'Scelus\\'; |
|
| 19 | 19 | |
| 20 | - // base directory for the namespace prefix |
|
| 21 | - $base_dir = __DIR__ . '/src/'; |
|
| 20 | + // base directory for the namespace prefix |
|
| 21 | + $base_dir = __DIR__ . '/src/'; |
|
| 22 | 22 | |
| 23 | - // does the class use the namespace prefix? |
|
| 24 | - $len = strlen($prefix); |
|
| 25 | - if (strncmp($prefix, $class, $len) !== 0) { |
|
| 26 | - // no, move to the next registered autoloader |
|
| 27 | - return; |
|
| 28 | - } |
|
| 23 | + // does the class use the namespace prefix? |
|
| 24 | + $len = strlen($prefix); |
|
| 25 | + if (strncmp($prefix, $class, $len) !== 0) { |
|
| 26 | + // no, move to the next registered autoloader |
|
| 27 | + return; |
|
| 28 | + } |
|
| 29 | 29 | |
| 30 | - // get the relative class name |
|
| 31 | - $relative_class = substr($class, $len); |
|
| 30 | + // get the relative class name |
|
| 31 | + $relative_class = substr($class, $len); |
|
| 32 | 32 | |
| 33 | - // replace the namespace prefix with the base directory, replace namespace |
|
| 34 | - // separators with directory separators in the relative class name, append |
|
| 35 | - // with .php |
|
| 36 | - $file = $base_dir . str_replace('\\', '/', $relative_class) . '.php'; |
|
| 33 | + // replace the namespace prefix with the base directory, replace namespace |
|
| 34 | + // separators with directory separators in the relative class name, append |
|
| 35 | + // with .php |
|
| 36 | + $file = $base_dir . str_replace('\\', '/', $relative_class) . '.php'; |
|
| 37 | 37 | |
| 38 | - // if the file exists, require it |
|
| 39 | - if (file_exists($file)) { |
|
| 40 | - require $file; |
|
| 41 | - } |
|
| 38 | + // if the file exists, require it |
|
| 39 | + if (file_exists($file)) { |
|
| 40 | + require $file; |
|
| 41 | + } |
|
| 42 | 42 | }); |
| 43 | 43 | \ No newline at end of file |
@@ -11,7 +11,7 @@ |
||
| 11 | 11 | * @param string $class The fully-qualified class name. |
| 12 | 12 | * @return void |
| 13 | 13 | */ |
| 14 | -spl_autoload_register(function ($class) { |
|
| 14 | +spl_autoload_register(function($class) { |
|
| 15 | 15 | |
| 16 | 16 | // project-specific namespace prefix |
| 17 | 17 | //$prefix = 'Foo\\Bar\\'; |
@@ -11,16 +11,16 @@ discard block |
||
| 11 | 11 | class CEscaperTest extends \PHPUnit_Framework_TestCase |
| 12 | 12 | { |
| 13 | 13 | /** |
| 14 | - * Test |
|
| 15 | - * |
|
| 16 | - * @return void |
|
| 17 | - */ |
|
| 14 | + * Test |
|
| 15 | + * |
|
| 16 | + * @return void |
|
| 17 | + */ |
|
| 18 | 18 | public function testConstructorSuccess() { |
| 19 | 19 | $el = new \Scelus\Escaper\CEscaper(); |
| 20 | 20 | |
| 21 | - $res = $el->getEncoding(); |
|
| 22 | - $exp = 'UTF-8'; |
|
| 23 | - $this->assertEquals($res, $exp, "Created element name missmatch."); |
|
| 21 | + $res = $el->getEncoding(); |
|
| 22 | + $exp = 'UTF-8'; |
|
| 23 | + $this->assertEquals($res, $exp, "Created element name missmatch."); |
|
| 24 | 24 | } |
| 25 | 25 | |
| 26 | 26 | /** |
@@ -42,10 +42,10 @@ discard block |
||
| 42 | 42 | } |
| 43 | 43 | |
| 44 | 44 | /** |
| 45 | - * Test |
|
| 46 | - * |
|
| 47 | - * @return void |
|
| 48 | - */ |
|
| 45 | + * Test |
|
| 46 | + * |
|
| 47 | + * @return void |
|
| 48 | + */ |
|
| 49 | 49 | public function testEscapeHTML() { |
| 50 | 50 | $el = new \Scelus\Escaper\CEscaper(); |
| 51 | 51 | |
@@ -56,10 +56,10 @@ discard block |
||
| 56 | 56 | } |
| 57 | 57 | |
| 58 | 58 | /** |
| 59 | - * Test |
|
| 60 | - * |
|
| 61 | - * @return void |
|
| 62 | - */ |
|
| 59 | + * Test |
|
| 60 | + * |
|
| 61 | + * @return void |
|
| 62 | + */ |
|
| 63 | 63 | public function testEscapeHTMLattr() { |
| 64 | 64 | $el = new \Scelus\Escaper\CEscaper(); |
| 65 | 65 | |
@@ -70,10 +70,10 @@ discard block |
||
| 70 | 70 | } |
| 71 | 71 | |
| 72 | 72 | /** |
| 73 | - * Test |
|
| 74 | - * |
|
| 75 | - * @return void |
|
| 76 | - */ |
|
| 73 | + * Test |
|
| 74 | + * |
|
| 75 | + * @return void |
|
| 76 | + */ |
|
| 77 | 77 | public function testEscapeUrl() { |
| 78 | 78 | $el = new \Scelus\Escaper\CEscaper(); |
| 79 | 79 | |
@@ -84,10 +84,10 @@ discard block |
||
| 84 | 84 | } |
| 85 | 85 | |
| 86 | 86 | /** |
| 87 | - * Test |
|
| 88 | - * |
|
| 89 | - * @return void |
|
| 90 | - */ |
|
| 87 | + * Test |
|
| 88 | + * |
|
| 89 | + * @return void |
|
| 90 | + */ |
|
| 91 | 91 | public function testEscapeCSS() { |
| 92 | 92 | $el = new \Scelus\Escaper\CEscaper(); |
| 93 | 93 | |
@@ -98,10 +98,10 @@ discard block |
||
| 98 | 98 | } |
| 99 | 99 | |
| 100 | 100 | /** |
| 101 | - * Test |
|
| 102 | - * |
|
| 103 | - * @return void |
|
| 104 | - */ |
|
| 101 | + * Test |
|
| 102 | + * |
|
| 103 | + * @return void |
|
| 104 | + */ |
|
| 105 | 105 | public function testEscapeJs() { |
| 106 | 106 | $el = new \Scelus\Escaper\CEscaper(); |
| 107 | 107 | $argument = "'; alert(100); var x='"; |
@@ -111,10 +111,10 @@ discard block |
||
| 111 | 111 | } |
| 112 | 112 | |
| 113 | 113 | /** |
| 114 | - * Test |
|
| 115 | - * |
|
| 116 | - * @return void |
|
| 117 | - */ |
|
| 114 | + * Test |
|
| 115 | + * |
|
| 116 | + * @return void |
|
| 117 | + */ |
|
| 118 | 118 | public function testEscapeXML() { |
| 119 | 119 | $el = new \Scelus\Escaper\CEscaper(); |
| 120 | 120 | $argument = '></div><h1>myattack</h1>'; |
@@ -124,10 +124,10 @@ discard block |
||
| 124 | 124 | } |
| 125 | 125 | |
| 126 | 126 | /** |
| 127 | - * Test |
|
| 128 | - * |
|
| 129 | - * @return void |
|
| 130 | - */ |
|
| 127 | + * Test |
|
| 128 | + * |
|
| 129 | + * @return void |
|
| 130 | + */ |
|
| 131 | 131 | public function testEscapeXmlattr() { |
| 132 | 132 | $el = new \Scelus\Escaper\CEscaper(); |
| 133 | 133 | $argument = '"><h1>Hello</table'; |
