devtoolboxuk /
soteria
Complex classes like Xss often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use Xss, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 19 | class Xss |
||
|
|
|||
| 20 | { |
||
| 21 | |||
| 22 | private $_xss_found = null; |
||
| 23 | private $neverAllowed; |
||
| 24 | private $exploded; |
||
| 25 | private $string; |
||
| 26 | private $attributes; |
||
| 27 | private $javascript; |
||
| 28 | private $html; |
||
| 29 | private $utf7; |
||
| 30 | private $utf8; |
||
| 31 | private $strings; |
||
| 32 | private $system; |
||
| 33 | private $input; |
||
| 34 | private $output; |
||
| 35 | |||
| 36 | |||
| 37 | 6 | function __construct() |
|
| 41 | |||
| 42 | 6 | function init() |
|
| 59 | |||
| 60 | |||
| 61 | function setString($str) |
||
| 65 | |||
| 66 | public function cleanArray($array) |
||
| 70 | |||
| 71 | /** |
||
| 72 | * @param $str |
||
| 73 | * @return array|mixed |
||
| 74 | */ |
||
| 75 | 6 | public function clean($str) |
|
| 76 | { |
||
| 77 | // reset |
||
| 78 | 6 | $this->_xss_found = null; |
|
| 79 | |||
| 80 | // check for an array of strings |
||
| 81 | 6 | if (\is_array($str)) { |
|
| 82 | 2 | foreach ($str as $key => $value) { |
|
| 83 | 2 | $str[$key] = $this->clean($value); |
|
| 84 | } |
||
| 85 | 2 | return $str; |
|
| 86 | } |
||
| 87 | |||
| 88 | 6 | $this->input = $str; |
|
| 89 | 6 | $this->output = $this->process($str); |
|
| 90 | 6 | return $this->output; |
|
| 91 | } |
||
| 92 | |||
| 93 | 6 | private function process($str) |
|
| 94 | { |
||
| 95 | |||
| 96 | // process |
||
| 97 | do { |
||
| 98 | 6 | $old_str = $str; |
|
| 99 | 6 | $str = $this->_do($str); |
|
| 100 | 6 | } while ($old_str !== $str); |
|
| 101 | |||
| 102 | // keep the old value, if there wasn't any XSS attack |
||
| 103 | 6 | if ($this->_xss_found !== true) { |
|
| 104 | 6 | $str = $this->input; |
|
| 105 | } |
||
| 106 | |||
| 107 | 6 | return $str; |
|
| 108 | } |
||
| 109 | |||
| 110 | /** |
||
| 111 | * @param StringResource $str |
||
| 112 | * |
||
| 113 | * @return mixed |
||
| 114 | */ |
||
| 115 | 6 | private function _do($str) |
|
| 116 | { |
||
| 117 | 6 | $str = (string)$str; |
|
| 118 | 6 | $strInt = (int)$str; |
|
| 119 | 6 | $strFloat = (float)$str; |
|
| 120 | 6 | if (!$str || (string)$strInt === $str || (string)$strFloat === $str) { |
|
| 121 | |||
| 122 | // no xss found |
||
| 123 | 6 | if ($this->_xss_found !== true) { |
|
| 124 | 6 | $this->_xss_found = false; |
|
| 125 | } |
||
| 126 | |||
| 127 | 6 | return $str; |
|
| 128 | } |
||
| 129 | |||
| 130 | // remove the BOM from UTF-8 / UTF-16 / UTF-32 strings |
||
| 131 | 6 | $str = $this->utf8->remove_bom($str); |
|
| 132 | |||
| 133 | // replace the diamond question mark (�) and invalid-UTF8 chars |
||
| 134 | 6 | $str = $this->utf8->replace_diamond_question_mark($str, ''); |
|
| 135 | |||
| 136 | // replace invisible characters with one single space |
||
| 137 | 6 | $str = $this->utf8->remove_invisible_characters($str, true, ' '); |
|
| 138 | |||
| 139 | 6 | $str = $this->utf8->normalize_whitespace($str); |
|
| 140 | 6 | $str = $this->strings->replace($str); |
|
| 141 | |||
| 142 | // decode UTF-7 characters |
||
| 143 | 6 | $str = $this->utf7->repack($str); |
|
| 144 | |||
| 145 | // decode the string |
||
| 146 | 6 | $str = $this->decodeString($str); // RW Partly DONE |
|
| 147 | |||
| 148 | // backup the string (for later comparision) |
||
| 149 | 6 | $str_backup = $str; |
|
| 150 | |||
| 151 | // remove strings that are never allowed |
||
| 152 | 6 | $str = $this->neverAllowed->doNeverAllowed($str); //RW DONE |
|
| 153 | |||
| 154 | // corrects words before the browser will do it |
||
| 155 | 6 | $str = $this->exploded->compactExplodedString($str); //RW DONE |
|
| 156 | |||
| 157 | // remove disallowed javascript calls in links, images etc. |
||
| 158 | 6 | $str = $this->javascript->removeDisallowedJavascript($str); |
|
| 159 | |||
| 160 | // remove evil attributes such as style, onclick and xmlns |
||
| 161 | 6 | $str = $this->attributes->removeEvilAttributes($str); |
|
| 162 | |||
| 163 | // sanitize naughty JavaScript elements |
||
| 164 | 6 | $str = $this->javascript->naughtyJavascript($str); |
|
| 165 | |||
| 166 | // sanitize naughty HTML elements |
||
| 167 | 6 | $str = $this->html->naughtyHtml($str); |
|
| 168 | |||
| 169 | // final clean up |
||
| 170 | // |
||
| 171 | // -> This adds a bit of extra precaution in case something got through the above filters. |
||
| 172 | 6 | $str = $this->neverAllowed->doNeverAllowedAfterwards($str); |
|
| 173 | |||
| 174 | // check for xss |
||
| 175 | 6 | if ($this->_xss_found !== true) { |
|
| 176 | 6 | $this->_xss_found = !($str_backup === $str); |
|
| 177 | } |
||
| 178 | |||
| 179 | 6 | return $str; |
|
| 180 | } |
||
| 181 | |||
| 182 | 6 | public function decodeString($str) |
|
| 183 | { |
||
| 184 | // init |
||
| 185 | 6 | $regExForHtmlTags = '/<\p{L}+.*+/us'; |
|
| 186 | |||
| 187 | 6 | if (strpos($str, '<') !== false && preg_match($regExForHtmlTags, $str, $matches) === 1) { |
|
| 188 | 6 | $str = (string)preg_replace_callback( |
|
| 189 | 6 | $regExForHtmlTags, |
|
| 190 | function ($matches) { |
||
| 191 | 6 | return $this->decodeEntity($matches); |
|
| 192 | 6 | }, |
|
| 193 | 6 | $str |
|
| 194 | ); |
||
| 195 | } else { |
||
| 196 | 6 | $str = $this->utf8->rawurldecode($str); |
|
| 197 | } |
||
| 198 | |||
| 199 | 6 | return $str; |
|
| 200 | } |
||
| 201 | |||
| 202 | 6 | private function decodeEntity(array $match) |
|
| 203 | { |
||
| 204 | // init |
||
| 205 | 6 | $str = $match[0]; |
|
| 206 | |||
| 207 | // protect GET variables without XSS in URLs |
||
| 208 | 6 | if (preg_match_all("/[\?|&]?[\\p{L}0-9_\-\[\]]+\s*=\s*(?<wrapped>\"|\042|'|\047)(?<attr>[^\\1]*?)\\g{wrapped}/ui", $str, $matches)) { |
|
| 209 | 6 | if (isset($matches['attr'])) { |
|
| 210 | 6 | foreach ($matches['attr'] as $matchInner) { |
|
| 211 | 6 | $tmpAntiXss = clone $this; |
|
| 212 | 6 | $urlPartClean = $tmpAntiXss->clean($matchInner); |
|
| 213 | |||
| 214 | 6 | if ($tmpAntiXss->isXssFound() === true) { |
|
| 215 | 6 | $this->_xss_found = true; |
|
| 216 | 6 | $str = \str_replace($matchInner, $this->utf8->rawurldecode($urlPartClean), $str); |
|
| 217 | } |
||
| 218 | } |
||
| 219 | } |
||
| 220 | } else { |
||
| 221 | 6 | $str = $this->_entity_decode($this->utf8->rawurldecode($str)); |
|
| 222 | } |
||
| 223 | |||
| 224 | 6 | return $str; |
|
| 225 | } |
||
| 226 | |||
| 227 | /** |
||
| 228 | * @return null |
||
| 229 | */ |
||
| 230 | 6 | public function isXssFound() |
|
| 234 | |||
| 235 | /** |
||
| 236 | * Entity-decoding. |
||
| 237 | * |
||
| 238 | * @param StringResource $str |
||
| 239 | * |
||
| 240 | * @return StringResource |
||
| 241 | */ |
||
| 242 | 6 | private function _entity_decode($str) |
|
| 243 | { |
||
| 244 | 6 | static $HTML_ENTITIES_CACHE; |
|
| 245 | |||
| 246 | 6 | $flags = ENT_QUOTES | ENT_HTML5 | ENT_DISALLOWED | ENT_SUBSTITUTE; |
|
| 247 | |||
| 248 | // decode |
||
| 249 | 6 | $str = html_entity_decode($str, $flags); |
|
| 250 | |||
| 251 | |||
| 252 | // decode-again, for e.g. HHVM or miss configured applications ... |
||
| 253 | 6 | if (preg_match_all('/(?<html_entity>&[A-Za-z]{2,}[;]{0})/', $str, $matches)) { |
|
| 254 | if ($HTML_ENTITIES_CACHE === null) { |
||
| 255 | |||
| 256 | // links: |
||
| 257 | // - http://dev.w3.org/html5/html-author/charref |
||
| 258 | // - http://www.w3schools.com/charsets/ref_html_entities_n.asp |
||
| 259 | $entitiesSecurity = [ |
||
| 260 | '�' => '', |
||
| 261 | '�' => '', |
||
| 262 | '' => '', |
||
| 263 | '' => '', |
||
| 264 | '>⃒' => '', |
||
| 265 | '' => '', |
||
| 266 | '' => '', |
||
| 267 | '­' => '', |
||
| 268 | '­' => '', |
||
| 269 | '­' => '', |
||
| 270 | ':' => ':', |
||
| 271 | ':' => ':', |
||
| 272 | ':' => ':', |
||
| 273 | '(' => '(', |
||
| 274 | '(' => '(', |
||
| 275 | '(' => '(', |
||
| 276 | ')' => ')', |
||
| 277 | ')' => ')', |
||
| 278 | ')' => ')', |
||
| 279 | '?' => '?', |
||
| 280 | '?' => '?', |
||
| 281 | '?' => '?', |
||
| 282 | '/' => '/', |
||
| 283 | '/' => '/', |
||
| 284 | '/' => '/', |
||
| 285 | ''' => '\'', |
||
| 286 | ''' => '\'', |
||
| 287 | ''' => '\'', |
||
| 288 | ''' => '\'', |
||
| 289 | ''' => '\'', |
||
| 290 | '\' => '\'', |
||
| 291 | '\' => '\\', |
||
| 292 | '\' => '\\', |
||
| 293 | ',' => ',', |
||
| 294 | ',' => ',', |
||
| 295 | ',' => ',', |
||
| 296 | '.' => '.', |
||
| 297 | '.' => '.', |
||
| 298 | '"' => '"', |
||
| 299 | '"' => '"', |
||
| 300 | '"' => '"', |
||
| 301 | '"' => '"', |
||
| 302 | '`' => '`', |
||
| 303 | '`' => '`', |
||
| 304 | '`' => '`', |
||
| 305 | '`' => '`', |
||
| 306 | '.' => '.', |
||
| 307 | '=' => '=', |
||
| 308 | '=' => '=', |
||
| 309 | '=' => '=', |
||
| 310 | '&newline;' => "\n", |
||
| 311 | '
' => "\n", |
||
| 312 | ' ' => "\n", |
||
| 313 | '&tab;' => "\t", |
||
| 314 | '	' => "\t", |
||
| 315 | '	' => "\t", |
||
| 316 | ]; |
||
| 317 | |||
| 318 | $HTML_ENTITIES_CACHE = \array_merge( |
||
| 319 | $entitiesSecurity, |
||
| 320 | \array_flip(\get_html_translation_table(HTML_ENTITIES, $flags)), |
||
| 321 | \array_flip($this->_get_data('entities_fallback')) |
||
| 322 | ); |
||
| 323 | } |
||
| 324 | |||
| 325 | $search = []; |
||
| 326 | $replace = []; |
||
| 327 | foreach ($matches['html_entity'] as $match) { |
||
| 328 | $match .= ';'; |
||
| 329 | if (isset($HTML_ENTITIES_CACHE[$match])) { |
||
| 330 | $search[$match] = $match; |
||
| 331 | $replace[$match] = $HTML_ENTITIES_CACHE[$match]; |
||
| 332 | } |
||
| 333 | } |
||
| 334 | |||
| 335 | if (\count($replace) > 0) { |
||
| 336 | $str = \str_replace($search, $replace, $str); |
||
| 337 | } |
||
| 338 | } |
||
| 339 | |||
| 340 | 6 | return $str; |
|
| 341 | } |
||
| 342 | |||
| 343 | private function _get_data($file) |
||
| 348 | |||
| 349 | public function cleanString($str) |
||
| 353 | |||
| 354 | /** |
||
| 355 | * @param $str |
||
| 356 | * @return array|mixed |
||
| 357 | */ |
||
| 358 | 3 | public function cleanUrl($str) |
|
| 359 | { |
||
| 383 | |||
| 384 | function result() |
||
| 392 | } |
Loading history...
This check marks property names that have not been written in camelCase.
In camelCase names are written without any punctuation, the start of each new word being marked by a capital letter. Thus the name database connection string becomes
databaseConnectionString.