Issues in TemplateParser.php (master) - Issues in master - beyondcode/laravel-inline-translation - Measure and Improve Code Quality continuously with Scrutinizer

Issues (7)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/TemplateParser.php (2 issues)

Labels

Unused Code 2

Severity

Minor 2

Marcel Pociot 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace BeyondCode\InlineTranslation;

use Exception;

class TemplateParser
{
    const DATA_TRANSLATE = 'data-translate';

    /**
     * @var array
     */
    private $viewData;

    /**
     * List of simple tags
     *
     * @var array
     */
    protected $allowedTags = [
        'legend' => 'Caption for the fieldset element',
        'label' => 'Label for an input element.',
        'button' => 'Push button',
        'a' => 'Link label',
        'b' => 'Bold text',
        'strong' => 'Strong emphasized text',
        'i' => 'Italic text',
        'em' => 'Emphasized text',
        'u' => 'Underlined text',
        'sup' => 'Superscript text',
        'sub' => 'Subscript text',
        'span' => 'Span element',
        'small' => 'Smaller text',
        'big' => 'Bigger text',
        'address' => 'Contact information',
        'blockquote' => 'Long quotation',
        'q' => 'Short quotation',
        'cite' => 'Citation',
        'caption' => 'Table caption',
        'abbr' => 'Abbreviated phrase',
        'acronym' => 'An acronym',
        'var' => 'Variable part of a text',
        'dfn' => 'Term',
        'strike' => 'Strikethrough text',
        'del' => 'Deleted text',
        'ins' => 'Inserted text',
        'h1' => 'Heading level 1',
        'h2' => 'Heading level 2',
        'h3' => 'Heading level 3',
        'h4' => 'Heading level 4',
        'h5' => 'Heading level 5',
        'h6' => 'Heading level 6',
        'center' => 'Centered text',
        'select' => 'List options',
        'img' => 'Image',
        'input' => 'Form element',
        'p' => 'Generic Paragraph',
    ];

    /**
     * TemplateParser constructor.
     * @param array $viewData
     */
    public function __construct(array $viewData = [])
    {
        $this->viewData = $viewData;
    }

    public function parseTranslationTags(string &$viewContent)
    {
        $nextTag = 0;

        $tags = implode('|', array_keys($this->allowedTags));

        $tagRegExp = '#<(' . $tags . ')(/?>| \s*[^>]*+/?>)#iSU';

        $tagMatch = [];

        while (preg_match($tagRegExp, $viewContent, $tagMatch, PREG_OFFSET_CAPTURE, $nextTag)) {
            $tagName = strtolower($tagMatch[1][0]);

            if (substr($tagMatch[0][0], -2) == '/>') {
                $tagClosurePos = $tagMatch[0][1] + strlen($tagMatch[0][0]);
            } else {
                $tagClosurePos = $this->findEndOfTag($viewContent, $tagName, $tagMatch[0][1]);
            }

            if ($tagClosurePos === false) {
                $nextTag += strlen($tagMatch[0][0]);
                continue;
            }

            $tagLength = $tagClosurePos - $tagMatch[0][1];
            $tagStartLength = strlen($tagMatch[0][0]);

            $tagHtml = $tagMatch[0][0] . substr(
                    $viewContent,
                    $tagMatch[0][1] + $tagStartLength,
                    $tagLength - $tagStartLength
                );

            $tagClosurePos = $tagMatch[0][1] + strlen($tagHtml);

            $trArr = $this->getTranslateData(
                '/({{|{!!)\s*(__|\@lang|\@trans|\@choice|trans|trans_choice)\((.*?)\)\s*(}}|!!})/m',
                $tagHtml,
                ['tagName' => $tagName, 'tagList' => $this->allowedTags]
            );

            if (!empty($trArr)) {
                $trArr = array_unique($trArr);

                $tagHtml = $this->applyTranslationTags($tagHtml, $tagName, $trArr);

                $tagClosurePos = $tagMatch[0][1] + strlen($tagHtml);
                $viewContent = substr_replace($viewContent, $tagHtml, $tagMatch[0][1], $tagLength);
            }

            $nextTag = $tagClosurePos;
        }
    }

    /**
     * Format translation for simple tags.  Added translate mode attribute for vde requests.
     *
     * @param string $tagHtml
     * @param string $tagName
     * @param array $trArr
     * @return string
     */
    protected function applyTranslationTags($tagHtml, $tagName, $trArr)
    {
        $simpleTags = substr(
                $tagHtml,
                0,
                strlen($tagName) + 1
            ) . ' ' . $this->getHtmlAttribute(
                self::DATA_TRANSLATE,
                htmlspecialchars('[' . join(',', $trArr) . ']')
            );

        $simpleTags .= substr($tagHtml, strlen($tagName) + 1);
        return $simpleTags;
    }

    /**
     * Get html element attribute
     *
     * @param string $name
     * @param string $value
     * @return string
     */
    private function getHtmlAttribute($name, $value)
    {
        return $name . '="' . $value . '"';
    }

    /**
     * Get translate data by regexp
     *
     * @param string $regexp
     * @param string $text
     * @param array $options
     * @return array
     */
    private function getTranslateData($regexp, $text, $options = [])
    {
        $trArr = [];
        $nextRegexOffset = 0;
        while (preg_match($regexp, $text, $matches, PREG_OFFSET_CAPTURE, $nextRegexOffset)) {

            extract($this->viewData, EXTR_OVERWRITE);
            $translationParameters = $this->extractVariablesFromLocalizationParameters($matches[3][0]);

            try {
                $translated = eval('return ' . $matches[2][0] . '(' . $matches[3][0] . ');');
            } catch (Exception $e) {
                $translated = '';
            }

            $trArr[] = json_encode(
                [
                    'translated' => $translated,
                    'original' => $translationParameters[0],
                    'parameters' => $translationParameters[1] ?? [],
                    'location' => htmlspecialchars_decode($this->getTagLocation($matches, $options)),
                ]
            );
            $nextRegexOffset = $matches[4][1];
        }
        return $trArr;
    }

    /**
     * Get tag location
     *
     * @param array $matches
     * @param array $options
     * @return string
     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
     */
    protected function getTagLocation($matches, $options)

    {
        $tagName = strtolower($options['tagName']);
        if (isset($options['tagList'][$tagName])) {
            return $options['tagList'][$tagName];
        }
        return ucfirst($tagName) . ' Text';
    }

    private function _returnViewData()

    {
        $args = func_get_args();
        $return = [];

        foreach ($args as $argument) {
            $return[] = $argument;
        }

        return $return;
    }

    /**
     * @param string $localizationParameters
     * @return array|mixed
     */
    private function extractVariablesFromLocalizationParameters($localizationParameters)
    {
        try {
            extract($this->viewData, EXTR_OVERWRITE);
            return eval('return $this->_returnViewData(' . $localizationParameters . ');');
        } catch (Exception $e) {
            return [
                $localizationParameters
            ];
        }
    }

    /**
     * Find end of tag
     *
     * @param string $body
     * @param string $tagName
     * @param int $from
     * @return bool|int return false if end of tag is not found
     */
    private function findEndOfTag($body, $tagName, $from)
    {
        $openTag = '<' . $tagName;
        $closeTag = '</' . $tagName;
        $tagLength = strlen($tagName);
        $length = $tagLength + 1;
        $end = $from + 1;

        while (substr_count($body, $openTag, $from, $length) !== substr_count($body, $closeTag, $from, $length)) {
            $end = strpos($body, $closeTag, $end + $tagLength + 1);
            if ($end === false) {
                return false;
            }
            $length = $end - $from + $tagLength + 3;
        }

        if (preg_match('#<\\\\?\/' . $tagName . '\s*?>#i', $body, $tagMatch, null, $end)) {
            return $end + strlen($tagMatch[0]);
        } else {
            return false;
        }
    }
}


1			<?php
2
3			namespace BeyondCode\InlineTranslation;
4
5			use Exception;
6
7			class TemplateParser
8			{
9			const DATA_TRANSLATE = 'data-translate';
10
11			/**
12			* @var array
13			*/
14			private $viewData;
15
16			/**
17			* List of simple tags
18			*
19			* @var array
20			*/
21			protected $allowedTags = [
22			'legend' => 'Caption for the fieldset element',
23			'label' => 'Label for an input element.',
24			'button' => 'Push button',
25			'a' => 'Link label',
26			'b' => 'Bold text',
27			'strong' => 'Strong emphasized text',
28			'i' => 'Italic text',
29			'em' => 'Emphasized text',
30			'u' => 'Underlined text',
31			'sup' => 'Superscript text',
32			'sub' => 'Subscript text',
33			'span' => 'Span element',
34			'small' => 'Smaller text',
35			'big' => 'Bigger text',
36			'address' => 'Contact information',
37			'blockquote' => 'Long quotation',
38			'q' => 'Short quotation',
39			'cite' => 'Citation',
40			'caption' => 'Table caption',
41			'abbr' => 'Abbreviated phrase',
42			'acronym' => 'An acronym',
43			'var' => 'Variable part of a text',
44			'dfn' => 'Term',
45			'strike' => 'Strikethrough text',
46			'del' => 'Deleted text',
47			'ins' => 'Inserted text',
48			'h1' => 'Heading level 1',
49			'h2' => 'Heading level 2',
50			'h3' => 'Heading level 3',
51			'h4' => 'Heading level 4',
52			'h5' => 'Heading level 5',
53			'h6' => 'Heading level 6',
54			'center' => 'Centered text',
55			'select' => 'List options',
56			'img' => 'Image',
57			'input' => 'Form element',
58			'p' => 'Generic Paragraph',
59			];
60
61			/**
62			* TemplateParser constructor.
63			* @param array $viewData
64			*/
65			public function __construct(array $viewData = [])
66			{
67			$this->viewData = $viewData;
68			}
69
70			public function parseTranslationTags(string &$viewContent)
71			{
72			$nextTag = 0;
73
74			$tags = implode('\|', array_keys($this->allowedTags));
75
76			$tagRegExp = '#<(' . $tags . ')(/?>\| \s[^>]+/?>)#iSU';
77
78			$tagMatch = [];
79
80			while (preg_match($tagRegExp, $viewContent, $tagMatch, PREG_OFFSET_CAPTURE, $nextTag)) {
81			$tagName = strtolower($tagMatch[1][0]);
82
83			if (substr($tagMatch[0][0], -2) == '/>') {
84			$tagClosurePos = $tagMatch[0][1] + strlen($tagMatch[0][0]);
85			} else {
86			$tagClosurePos = $this->findEndOfTag($viewContent, $tagName, $tagMatch[0][1]);
87			}
88
89			if ($tagClosurePos === false) {
90			$nextTag += strlen($tagMatch[0][0]);
91			continue;
92			}
93
94			$tagLength = $tagClosurePos - $tagMatch[0][1];
95			$tagStartLength = strlen($tagMatch[0][0]);
96
97			$tagHtml = $tagMatch[0][0] . substr(
98			$viewContent,
99			$tagMatch[0][1] + $tagStartLength,
100			$tagLength - $tagStartLength
101			);
102
103			$tagClosurePos = $tagMatch[0][1] + strlen($tagHtml);
104
105			$trArr = $this->getTranslateData(
106			'/({{\|{!!)\s(__\|\@lang\|\@trans\|\@choice\|trans\|trans_choice)\((.?)\)\s*(}}\|!!})/m',
107			$tagHtml,
108			['tagName' => $tagName, 'tagList' => $this->allowedTags]
109			);
110
111			if (!empty($trArr)) {
112			$trArr = array_unique($trArr);
113
114			$tagHtml = $this->applyTranslationTags($tagHtml, $tagName, $trArr);
115
116			$tagClosurePos = $tagMatch[0][1] + strlen($tagHtml);
117			$viewContent = substr_replace($viewContent, $tagHtml, $tagMatch[0][1], $tagLength);
118			}
119
120			$nextTag = $tagClosurePos;
121			}
122			}
123
124			/**
125			* Format translation for simple tags. Added translate mode attribute for vde requests.
126			*
127			* @param string $tagHtml
128			* @param string $tagName
129			* @param array $trArr
130			* @return string
131			*/
132			protected function applyTranslationTags($tagHtml, $tagName, $trArr)
133			{
134			$simpleTags = substr(
135			$tagHtml,
136			0,
137			strlen($tagName) + 1
138			) . ' ' . $this->getHtmlAttribute(
139			self::DATA_TRANSLATE,
140			htmlspecialchars('[' . join(',', $trArr) . ']')
141			);
142
143			$simpleTags .= substr($tagHtml, strlen($tagName) + 1);
144			return $simpleTags;
145			}
146
147			/**
148			* Get html element attribute
149			*
150			* @param string $name
151			* @param string $value
152			* @return string
153			*/
154			private function getHtmlAttribute($name, $value)
155			{
156			return $name . '="' . $value . '"';
157			}
158
159			/**
160			* Get translate data by regexp
161			*
162			* @param string $regexp
163			* @param string $text
164			* @param array $options
165			* @return array
166			*/
167			private function getTranslateData($regexp, $text, $options = [])
168			{
169			$trArr = [];
170			$nextRegexOffset = 0;
171			while (preg_match($regexp, $text, $matches, PREG_OFFSET_CAPTURE, $nextRegexOffset)) {
172
173			extract($this->viewData, EXTR_OVERWRITE);
174			$translationParameters = $this->extractVariablesFromLocalizationParameters($matches[3][0]);
175
176			try {
177			$translated = eval('return ' . $matches[2][0] . '(' . $matches[3][0] . ');');
178			} catch (Exception $e) {
179			$translated = '';
180			}
181
182			$trArr[] = json_encode(
183			[
184			'translated' => $translated,
185			'original' => $translationParameters[0],
186			'parameters' => $translationParameters[1] ?? [],
187			'location' => htmlspecialchars_decode($this->getTagLocation($matches, $options)),
188			]
189			);
190			$nextRegexOffset = $matches[4][1];
191			}
192			return $trArr;
193			}
194
195			/**
196			* Get tag location
197			*
198			* @param array $matches
199			* @param array $options
200			* @return string
201			* @SuppressWarnings(PHPMD.UnusedFormalParameter)
202			*/
203			protected function getTagLocation($matches, $options)
			0 ignored issues – show Unused Code introduced 2018-07-23 11:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$matches` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
204			{
205			$tagName = strtolower($options['tagName']);
206			if (isset($options['tagList'][$tagName])) {
207			return $options['tagList'][$tagName];
208			}
209			return ucfirst($tagName) . ' Text';
210			}
211
212			private function _returnViewData()
			0 ignored issues – show Unused Code introduced 2018-07-23 11:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method is not used, and could be removed. Loading history...
213			{
214			$args = func_get_args();
215			$return = [];
216
217			foreach ($args as $argument) {
218			$return[] = $argument;
219			}
220
221			return $return;
222			}
223
224			/**
225			* @param string $localizationParameters
226			* @return array\|mixed
227			*/
228			private function extractVariablesFromLocalizationParameters($localizationParameters)
229			{
230			try {
231			extract($this->viewData, EXTR_OVERWRITE);
232			return eval('return $this->_returnViewData(' . $localizationParameters . ');');
233			} catch (Exception $e) {
234			return [
235			$localizationParameters
236			];
237			}
238			}
239
240			/**
241			* Find end of tag
242			*
243			* @param string $body
244			* @param string $tagName
245			* @param int $from
246			* @return bool\|int return false if end of tag is not found
247			*/
248			private function findEndOfTag($body, $tagName, $from)
249			{
250			$openTag = '<' . $tagName;
251			$closeTag = '</' . $tagName;
252			$tagLength = strlen($tagName);
253			$length = $tagLength + 1;
254			$end = $from + 1;
255
256			while (substr_count($body, $openTag, $from, $length) !== substr_count($body, $closeTag, $from, $length)) {
257			$end = strpos($body, $closeTag, $end + $tagLength + 1);
258			if ($end === false) {
259			return false;
260			}
261			$length = $end - $from + $tagLength + 3;
262			}
263
264			if (preg_match('#<\\\\?\/' . $tagName . '\s*?>#i', $body, $tagMatch, null, $end)) {
265			return $end + strlen($tagMatch[0]);
266			} else {
267			return false;
268			}
269			}
270			}
271

beyondcode / laravel-inline-translation

Issues (7)

Security Analysis not enabled

src/TemplateParser.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like