Issues in pjax.js (master) - Issues in master - Strontium-90/StrontiumPjaxBundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (23)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Resources/public/js/pjax.js (9 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

(function ($, cookie, exports, domInitializer) {
    'use strict';

    var PJAX_PUSH = 'pjax-push';

    var app = exports.application = {
        PJAX_REDIRECT_TARGET_PARAMETER: 'pjax-redirect-target',
        ROOT_CONTAINER_NAME: 'main',

        linkSelector: 'a[data-pjax],' +
        'a:not([data-toggle]):not([data-behavior]):not([data-skip-pjax]):not([href^="http://"]):not([href^="/_profiler/"]):not([href^="/app_dev.php/_profiler/"])',

        formSelector: 'form:not([w]):not([data-skip-pjax])',

        params: {},

        getPage: function (route, params, target) {
            var req_params = this.params;
            for (var i in params) {
var someObject;
for (var key in someObject) {
    if ( ! someObject.hasOwnProperty(key)) {
        continue; // Skip keys from the prototype.
    }

    doSomethingWith(key);
}
                req_params[i] = params[i];
            }

            return this.getUrl(Routing.generate(route, req_params), target);

        },

        getPjaxContainer: function (target) {
            return findTargetContainer(target || app.ROOT_CONTAINER_NAME);
        },

        getUrl: function (url, target) {
            var container = this.getPjaxContainer(target);
            url = url || '';

            return $.pjax({
                url: url,
                container: container,
                method: 'get',
                push: toPush(target, 'GET'),
                replace: false
            });
        },

        reload: function (target, url) {
            return this.getUrl(url, target);
        }
    };

    $(function () {
        if ($.support.pjax) {
            $.pjax.defaults.timeout = 50000;

            $(document)
                .on('click', app.linkSelector, onPjaxLinkClick)
                .on('submit', app.formSelector, onPjaxFormSubmit)
                .on('pjax:complete', onPjaxComplete)
                .on('pjax:beforeSend', onPjaxBeforeSend)
                .on('pjax:beforeReplace', onPjaxBeforeReplace);
        }
    });

    function onPjaxLinkClick(event) {
        if (event.isDefaultPrevented()) {
            return;
        }
        var target = findPjaxTargetFor(this);
        var container = findTargetContainer(target);
        var redirectTarget = $(this).data(app.PJAX_REDIRECT_TARGET_PARAMETER);

        $.pjax.click(event, container, {
            target: target,
            redirectTarget: redirectTarget,
            push: toPush(target, 'GET', $(this).data(PJAX_PUSH)),
            replace: false
        });
    }

    function onPjaxFormSubmit(event) {
        if (event.isDefaultPrevented()) {
            return;
        }
        var $form = $(this);
        var target = findPjaxTargetFor(this);
        var targetContainer = findTargetContainer(target);

        /**
         * Если пытаемся отправить форму с файлами,
         * но браузером не поддерживается FormData,
         * тогда просто штатно отправляем форму.
         * Пока так.
         */
        if ('multipart/form-data' === $form.attr('enctype') && window.FormData === undefined) {
            return true;
        }
        var params = {
            target: target,
            redirectTarget: targetContainer.data(app.PJAX_REDIRECT_TARGET_PARAMETER),
            push: toPush(target, $form.attr('method'), $(this).data(PJAX_PUSH)),
            replace: false
        };

        if ($form.attr('enctype') === 'multipart/form-data') {
            $.extend(params, {
                contentType: false,
                processData: false,
                cache: false,
                data: $form.serializeMultipart()
            })
        }

        $.pjax.submit(event, targetContainer, params);

    }

    /**
     * Пушить стейт или нет
     *
     * @param target
     * @param method
     * @param option bool значение атрибута data-pjax-push
     * @returns bool
     */
    function toPush(target, method, option) {
        if (option == undefined) {
            if (method == undefined) {
                method = 'GET';
            }
            method = method.toUpperCase();

            return method == 'GET' && target == app.ROOT_CONTAINER_NAME;
        }

        return option;
    }


    function onPjaxComplete(event, content, status, options) {

        domInitializer.initialize(event.target);
    }

    function onPjaxBeforeReplace(event, contents, options) {
        var redirectedTo,
            redirectCookieTargetName,
            redirectCookieName,
            optionsTransformer,
            generateStateParams,
            redirectTarget = options.redirectTarget;

        if (redirectTarget) {
            redirectCookieTargetName = parsePjaxContainerSelector(options.context.selector);
            optionsTransformer = function (options) {
                return $.extend(options, {
                    context: findTargetContainer(redirectTarget)
                });
            };
            generateStateParams = function (options) {
                return {
                    container: options.context.selector
                };
            };
        } else {
            optionsTransformer = function (options) {
                return options;
            };
            generateStateParams = function (options) {

                return {};
            };
            redirectTarget = redirectCookieTargetName = findPjaxTargetFor(event.target);
        }

        redirectCookieName = 'pjax_redirect_' + redirectCookieTargetName;

        if (undefined !== (redirectedTo = cookie.get(redirectCookieName))) {
            cookie.expire(redirectCookieName);

            options = optionsTransformer(options);

            if (toPush(redirectTarget, 'GET')) {
                $.extend(event.state, {
                    push: true,
                    url: redirectedTo
                }, generateStateParams(options));
                window.history.pushState(event.state, event.state.title, event.state.url);
            }

            if (redirectTarget && redirectTarget != app.PJAX_MODAL_CONTAINER) {
                $(app.PJAX_MODAL_SELECTOR).modal('hide');
            }
        }
    }

    function onPjaxBeforeSend(event, xhr, settings) {
        xhr.setRequestHeader('X-PJAX-Target', settings.target);
        settings.redirectTarget && xhr.setRequestHeader('X-PJAX-Redirect-Target', settings.redirectTarget);
    }

    function findPjaxTargetFor(elem) {
        var $elem = $(elem);

        return $elem.data('pjax')
            || $elem.closest('[data-pjax-container]').data('pjax-container')
            || app.ROOT_CONTAINER_NAME;
    }

    function findTargetContainer(target) {
        var container = $(generatePjaxContainerSelector(target));

        return container.length ? container : null;
    }

    function generatePjaxContainerSelector(name) {
        return '[data-pjax-container="' + name + '"]';
    }

    /**
     * @param {string} selector
     * @returns {string}
     */
    function parsePjaxContainerSelector(selector) {
        return selector.match(/^\[data-pjax-container="(.+?)"\]$/)[1];
    }

    $.fn.serializeMultipart = function () {
        var obj = $(this);
        /* ADD FILE TO PARAM AJAX */
        var formData = new FormData();
        $.each($(obj).find("input[type='file']"), function (i, tag) {
            $.each($(tag)[0].files, function (i, file) {
                formData.append(tag.name, file);
            });
        });
        var params = $(obj).serializeArray();
        $.each(params, function (i, val) {
            formData.append(val.name, val.value);
        });
        return formData;
    };

})(jQuery, Cookies, window, domInitializer);



GitHub Access Token became invalid

Issues (23)

Security Analysis not enabled

Resources/public/js/pjax.js (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			(function ($, cookie, exports, domInitializer) {
2			'use strict';
3
4			var PJAX_PUSH = 'pjax-push';
5
6			var app = exports.application = {
7			PJAX_REDIRECT_TARGET_PARAMETER: 'pjax-redirect-target',
8			ROOT_CONTAINER_NAME: 'main',
9
10			linkSelector: 'a[data-pjax],' +
11			'a:not([data-toggle]):not([data-behavior]):not([data-skip-pjax]):not([href^="http://"]):not([href^="/_profiler/"]):not([href^="/app_dev.php/_profiler/"])',
12
13			formSelector: 'form:not([w]):not([data-skip-pjax])',
14
15			params: {},
16
17			getPage: function (route, params, target) {
18			var req_params = this.params;
19			for (var i in params) {
			0 ignored issues – show Complexity introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this A for in loop automatically includes the property of any prototype object, consider checking the key using `hasOwnProperty`. When iterating over the keys of an object, this includes not only the keys of the object, but also keys contained in the prototype of that object. It is generally a best practice to check for these keys specifically: var someObject; for (var key in someObject) { if ( ! someObject.hasOwnProperty(key)) { continue; // Skip keys from the prototype. } doSomethingWith(key); } Loading history...
20			req_params[i] = params[i];
21			}
22
23			return this.getUrl(Routing.generate(route, req_params), target);
			0 ignored issues – show Bug introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `Routing` seems to be never declared. If this is a global, consider adding a `/** global: Routing */` comment. This checks looks for references to variables that have not been declared. This is most likey a typographical error or a variable has been renamed. To learn more about declaring variables in Javascript, see the MDN. Loading history...
24			},
25
26			getPjaxContainer: function (target) {
27			return findTargetContainer(target \|\| app.ROOT_CONTAINER_NAME);
28			},
29
30			getUrl: function (url, target) {
31			var container = this.getPjaxContainer(target);
32			url = url \|\| '';
33
34			return $.pjax({
35			url: url,
36			container: container,
37			method: 'get',
38			push: toPush(target, 'GET'),
39			replace: false
40			});
41			},
42
43			reload: function (target, url) {
44			return this.getUrl(url, target);
45			}
46			};
47
48			$(function () {
49			if ($.support.pjax) {
50			$.pjax.defaults.timeout = 50000;
51
52			$(document)
53			.on('click', app.linkSelector, onPjaxLinkClick)
54			.on('submit', app.formSelector, onPjaxFormSubmit)
55			.on('pjax:complete', onPjaxComplete)
56			.on('pjax:beforeSend', onPjaxBeforeSend)
57			.on('pjax:beforeReplace', onPjaxBeforeReplace);
58			}
59			});
60
61			function onPjaxLinkClick(event) {
62			if (event.isDefaultPrevented()) {
63			return;
64			}
65			var target = findPjaxTargetFor(this);
66			var container = findTargetContainer(target);
67			var redirectTarget = $(this).data(app.PJAX_REDIRECT_TARGET_PARAMETER);
68
69			$.pjax.click(event, container, {
70			target: target,
71			redirectTarget: redirectTarget,
72			push: toPush(target, 'GET', $(this).data(PJAX_PUSH)),
73			replace: false
74			});
75			}
76
77			function onPjaxFormSubmit(event) {
78			if (event.isDefaultPrevented()) {
79			return;
80			}
81			var $form = $(this);
82			var target = findPjaxTargetFor(this);
83			var targetContainer = findTargetContainer(target);
84
85			/**
86			* Если пытаемся отправить форму с файлами,
87			* но браузером не поддерживается FormData,
88			* тогда просто штатно отправляем форму.
89			* Пока так.
90			*/
91			if ('multipart/form-data' === $form.attr('enctype') && window.FormData === undefined) {
92			return true;
93			}
94			var params = {
95			target: target,
96			redirectTarget: targetContainer.data(app.PJAX_REDIRECT_TARGET_PARAMETER),
97			push: toPush(target, $form.attr('method'), $(this).data(PJAX_PUSH)),
98			replace: false
99			};
100
101			if ($form.attr('enctype') === 'multipart/form-data') {
102			$.extend(params, {
103			contentType: false,
104			processData: false,
105			cache: false,
106			data: $form.serializeMultipart()
107			})
108			}
109
110			$.pjax.submit(event, targetContainer, params);
			0 ignored issues – show Best Practice introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no `return` statement in this branch, but you do return something in other branches. Did you maybe miss it? If you do not want to return anything, consider adding `return undefined;` explicitly. Loading history...
111			}
112
113			/**
114			* Пушить стейт или нет
115			*
116			* @param target
117			* @param method
118			* @param option bool значение атрибута data-pjax-push
119			* @returns bool
120			*/
121			function toPush(target, method, option) {
122			if (option == undefined) {
123			if (method == undefined) {
124			method = 'GET';
125			}
126			method = method.toUpperCase();
127
128			return method == 'GET' && target == app.ROOT_CONTAINER_NAME;
129			}
130
131			return option;
132			}
133
134
135			function onPjaxComplete(event, content, status, options) {
			0 ignored issues – show Unused Code introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `options` is not used and could be removed. This check looks for parameters in functions that are not used in the function body and are not followed by other parameters which are used inside the function. Loading history... Unused Code introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `content` is not used and could be removed. This check looks for parameters in functions that are not used in the function body and are not followed by other parameters which are used inside the function. Loading history... Unused Code introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `status` is not used and could be removed. This check looks for parameters in functions that are not used in the function body and are not followed by other parameters which are used inside the function. Loading history...
136			domInitializer.initialize(event.target);
137			}
138
139			function onPjaxBeforeReplace(event, contents, options) {
140			var redirectedTo,
141			redirectCookieTargetName,
142			redirectCookieName,
143			optionsTransformer,
144			generateStateParams,
145			redirectTarget = options.redirectTarget;
146
147			if (redirectTarget) {
148			redirectCookieTargetName = parsePjaxContainerSelector(options.context.selector);
149			optionsTransformer = function (options) {
150			return $.extend(options, {
151			context: findTargetContainer(redirectTarget)
152			});
153			};
154			generateStateParams = function (options) {
155			return {
156			container: options.context.selector
157			};
158			};
159			} else {
160			optionsTransformer = function (options) {
161			return options;
162			};
163			generateStateParams = function (options) {
			0 ignored issues – show Unused Code introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `options` is not used and could be removed. This check looks for parameters in functions that are not used in the function body and are not followed by other parameters which are used inside the function. Loading history...
164			return {};
165			};
166			redirectTarget = redirectCookieTargetName = findPjaxTargetFor(event.target);
167			}
168
169			redirectCookieName = 'pjax_redirect_' + redirectCookieTargetName;
170
171			if (undefined !== (redirectedTo = cookie.get(redirectCookieName))) {
172			cookie.expire(redirectCookieName);
173
174			options = optionsTransformer(options);
175
176			if (toPush(redirectTarget, 'GET')) {
177			$.extend(event.state, {
178			push: true,
179			url: redirectedTo
180			}, generateStateParams(options));
181			window.history.pushState(event.state, event.state.title, event.state.url);
182			}
183
184			if (redirectTarget && redirectTarget != app.PJAX_MODAL_CONTAINER) {
185			$(app.PJAX_MODAL_SELECTOR).modal('hide');
186			}
187			}
188			}
189
190			function onPjaxBeforeSend(event, xhr, settings) {
191			xhr.setRequestHeader('X-PJAX-Target', settings.target);
192			settings.redirectTarget && xhr.setRequestHeader('X-PJAX-Redirect-Target', settings.redirectTarget);
193			}
194
195			function findPjaxTargetFor(elem) {
196			var $elem = $(elem);
197
198			return $elem.data('pjax')
199			\|\| $elem.closest('[data-pjax-container]').data('pjax-container')
200			\|\| app.ROOT_CONTAINER_NAME;
201			}
202
203			function findTargetContainer(target) {
204			var container = $(generatePjaxContainerSelector(target));
205
206			return container.length ? container : null;
207			}
208
209			function generatePjaxContainerSelector(name) {
210			return '[data-pjax-container="' + name + '"]';
211			}
212
213			/**
214			* @param {string} selector
215			* @returns {string}
216			*/
217			function parsePjaxContainerSelector(selector) {
218			return selector.match(/^\[data-pjax-container="(.+?)"\]$/)[1];
219			}
220
221			$.fn.serializeMultipart = function () {
222			var obj = $(this);
223			/* ADD FILE TO PARAM AJAX */
224			var formData = new FormData();
225			$.each($(obj).find("input[type='file']"), function (i, tag) {
226			$.each($(tag)[0].files, function (i, file) {
227			formData.append(tag.name, file);
228			});
229			});
230			var params = $(obj).serializeArray();
231			$.each(params, function (i, val) {
232			formData.append(val.name, val.value);
233			});
234			return formData;
235			};
236
237			})(jQuery, Cookies, window, domInitializer);
			0 ignored issues – show Bug introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `Cookies` seems to be never declared. If this is a global, consider adding a `/** global: Cookies /` comment. This checks looks for references to variables that have not been declared. This is most likey a typographical error or a variable has been renamed. To learn more about declaring variables in Javascript, see the MDN. Loading history... Bug introduced 2016-07-08 10:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `domInitializer` seems to be never declared. If this is a global, consider adding a `/* global: domInitializer */` comment. This checks looks for references to variables that have not been declared. This is most likey a typographical error or a variable has been renamed. To learn more about declaring variables in Javascript, see the MDN. Loading history...
238

Strontium-90 / StrontiumPjaxBundle

GitHub Access Token became invalid

Issues (23)

Security Analysis not enabled

Resources/public/js/pjax.js (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like