Issues in descendancy.php - Fixed Issues - Inspection of "URLs for genealogy objects" - fisharebest/webtrees - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — 1.7 ( 58a13e...2888c1 )

by Greg

created 2017-06-18 14:53 UTC

descendancy.php (1 issue)

Labels

Security 1

Severity

Critical 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * webtrees: online genealogy
 * Copyright (C) 2017 webtrees development team
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
namespace Fisharebest\Webtrees;

/**
 * Defined in session.php
 *
 * @global Tree $WT_TREE
 */
global $WT_TREE;

use Fisharebest\Webtrees\Controller\DescendancyController;
use Fisharebest\Webtrees\Functions\FunctionsEdit;
use Fisharebest\Webtrees\Functions\FunctionsPrint;
use Fisharebest\Webtrees\Functions\FunctionsPrintLists;

define('WT_SCRIPT_NAME', 'descendancy.php');
require './includes/session.php';

$controller = new DescendancyController;
$controller
	->restrictAccess(Module::isActiveChart($WT_TREE, 'descendancy_chart'))
	->pageHeader()
	->addExternalJavascript(WT_AUTOCOMPLETE_JS_URL)
	->addInlineJavascript('autocomplete();');

?>
<div id="descendancy-page"><h2><?php echo $controller->getPageTitle(); ?></h2>
	<form method="get" name="people" action="?">
		<input type="hidden" name="ged" value="<?php echo $WT_TREE->getNameHtml(); ?>">
		<table class="list_table">
			<tbody>
				<tr>
					<td class="descriptionbox">
						<?php echo I18N::translate('Individual'); ?>
					</td>
					<td class="optionbox">
						<input class="pedigree_form" data-autocomplete-type="INDI" type="text" id="rootid" name="rootid" size="3" value="<?php echo $controller->root->getXref(); ?>">
						<?php echo FunctionsPrint::printFindIndividualLink('rootid'); ?>
					</td>
					<td rowspan="3" class="descriptionbox">
						<?php echo I18N::translate('Layout'); ?>
					</td>
					<td rowspan="3" class="optionbox">
						<input type="radio" name="chart_style" value="0" <?php echo $controller->chart_style == 0 ? 'checked' : ''; ?>>
						<?php echo  I18N::translate('List'); ?>
						<br>
						<input type="radio" name="chart_style" value="1" <?php echo $controller->chart_style == 1 ? 'checked' : ''; ?>>
						<?php echo I18N::translate('Booklet'); ?>
						<br>
						<input type="radio" name="chart_style" value="2" <?php echo $controller->chart_style == 2 ? 'checked' : ''; ?>>
						<?php echo I18N::translate('Individuals'); ?>
						<br>
						<input type="radio" name="chart_style" value="3" <?php echo $controller->chart_style == 3 ? 'checked' : ''; ?>>
						<?php echo I18N::translate('Families'); ?>
					</td>
					<td rowspan="3" class="topbottombar">
						<input type="submit" value="<?php echo /* I18N: A button label. */ I18N::translate('view'); ?>">
					</td>
				</tr>
				<tr>
					<td class="descriptionbox">
						<?php echo I18N::translate('Generations'); ?>
					</td>
					<td class="optionbox">
						<?php echo FunctionsEdit::editFieldInteger('generations', $controller->generations, 2, $WT_TREE->getPreference('MAX_DESCENDANCY_GENERATIONS')); ?>
					</td>
				</tr>
				<tr>
					<td class="descriptionbox">
						<?php echo I18N::translate('Show details'); ?>
					</td>
					<td class="optionbox">
						<?php echo FunctionsEdit::twoStateCheckbox('show_full', $controller->showFull()); ?>
					</td>
				</tr>
			</tbody>
		</table>
	</form>

<?php
if ($controller->error_message) {
	echo '<p class="ui-state-error">', $controller->error_message, '</p>';
} else {
	switch ($controller->chart_style) {
	case 0: // List
		echo '<ul id="descendancy_chart" class="chart_common">';
		$controller->printChildDescendancy($controller->root, $controller->generations);
		echo '</ul>';
		break;
	case 1: // Booklet
		$show_cousins = true;
		echo '<div id="descendancy_booklet">';
		$controller->printChildFamily($controller->root, $controller->generations);
		echo '</div>';
		break;
	case 2: // Individual list
		$descendants = $controller->individualDescendancy($controller->root, $controller->generations, array());
		echo '<div id="descendancy-list">', FunctionsPrintLists::individualTable($descendants), '</div>';
		break;
	case 3: // Family list
		$descendants = $controller->familyDescendancy($controller->root, $controller->generations, array());
		echo '<div id="descendancy-list">', FunctionsPrintLists::familyTable($descendants), '</div>';
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
		break;
	}
}
?>
</div>


Push — 1.7 ( 58a13e...2888c1 )

descendancy.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

3 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

1			<?php
2			/**
3			* webtrees: online genealogy
4			* Copyright (C) 2017 webtrees development team
5			* This program is free software: you can redistribute it and/or modify
6			* it under the terms of the GNU General Public License as published by
7			* the Free Software Foundation, either version 3 of the License, or
8			* (at your option) any later version.
9			* This program is distributed in the hope that it will be useful,
10			* but WITHOUT ANY WARRANTY; without even the implied warranty of
11			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12			* GNU General Public License for more details.
13			* You should have received a copy of the GNU General Public License
14			* along with this program. If not, see <http://www.gnu.org/licenses/>.
15			*/
16			namespace Fisharebest\Webtrees;
17
18			/**
19			* Defined in session.php
20			*
21			* @global Tree $WT_TREE
22			*/
23			global $WT_TREE;
24
25			use Fisharebest\Webtrees\Controller\DescendancyController;
26			use Fisharebest\Webtrees\Functions\FunctionsEdit;
27			use Fisharebest\Webtrees\Functions\FunctionsPrint;
28			use Fisharebest\Webtrees\Functions\FunctionsPrintLists;
29
30			define('WT_SCRIPT_NAME', 'descendancy.php');
31			require './includes/session.php';
32
33			$controller = new DescendancyController;
34			$controller
35			->restrictAccess(Module::isActiveChart($WT_TREE, 'descendancy_chart'))
36			->pageHeader()
37			->addExternalJavascript(WT_AUTOCOMPLETE_JS_URL)
38			->addInlineJavascript('autocomplete();');
39
40			?>
41			<div id="descendancy-page"><h2><?php echo $controller->getPageTitle(); ?></h2>
42			<form method="get" name="people" action="?">
43			<input type="hidden" name="ged" value="<?php echo $WT_TREE->getNameHtml(); ?>">
44			<table class="list_table">
45			<tbody>
46			<tr>
47			<td class="descriptionbox">
48			<?php echo I18N::translate('Individual'); ?>
49			</td>
50			<td class="optionbox">
51			<input class="pedigree_form" data-autocomplete-type="INDI" type="text" id="rootid" name="rootid" size="3" value="<?php echo $controller->root->getXref(); ?>">
52			<?php echo FunctionsPrint::printFindIndividualLink('rootid'); ?>
53			</td>
54			<td rowspan="3" class="descriptionbox">
55			<?php echo I18N::translate('Layout'); ?>
56			</td>
57			<td rowspan="3" class="optionbox">
58			<input type="radio" name="chart_style" value="0" <?php echo $controller->chart_style == 0 ? 'checked' : ''; ?>>
59			<?php echo I18N::translate('List'); ?>
60			<br>
61			<input type="radio" name="chart_style" value="1" <?php echo $controller->chart_style == 1 ? 'checked' : ''; ?>>
62			<?php echo I18N::translate('Booklet'); ?>
63			<br>
64			<input type="radio" name="chart_style" value="2" <?php echo $controller->chart_style == 2 ? 'checked' : ''; ?>>
65			<?php echo I18N::translate('Individuals'); ?>
66			<br>
67			<input type="radio" name="chart_style" value="3" <?php echo $controller->chart_style == 3 ? 'checked' : ''; ?>>
68			<?php echo I18N::translate('Families'); ?>
69			</td>
70			<td rowspan="3" class="topbottombar">
71			<input type="submit" value="<?php echo /* I18N: A button label. */ I18N::translate('view'); ?>">
72			</td>
73			</tr>
74			<tr>
75			<td class="descriptionbox">
76			<?php echo I18N::translate('Generations'); ?>
77			</td>
78			<td class="optionbox">
79			<?php echo FunctionsEdit::editFieldInteger('generations', $controller->generations, 2, $WT_TREE->getPreference('MAX_DESCENDANCY_GENERATIONS')); ?>
80			</td>
81			</tr>
82			<tr>
83			<td class="descriptionbox">
84			<?php echo I18N::translate('Show details'); ?>
85			</td>
86			<td class="optionbox">
87			<?php echo FunctionsEdit::twoStateCheckbox('show_full', $controller->showFull()); ?>
88			</td>
89			</tr>
90			</tbody>
91			</table>
92			</form>
93
94			<?php
95			if ($controller->error_message) {
96			echo '<p class="ui-state-error">', $controller->error_message, '</p>';
97			} else {
98			switch ($controller->chart_style) {
99			case 0: // List
100			echo '<ul id="descendancy_chart" class="chart_common">';
101			$controller->printChildDescendancy($controller->root, $controller->generations);
102			echo '</ul>';
103			break;
104			case 1: // Booklet
105			$show_cousins = true;
106			echo '<div id="descendancy_booklet">';
107			$controller->printChildFamily($controller->root, $controller->generations);
108			echo '</div>';
109			break;
110			case 2: // Individual list
111			$descendants = $controller->individualDescendancy($controller->root, $controller->generations, array());
112			echo '<div id="descendancy-list">', FunctionsPrintLists::individualTable($descendants), '</div>';
113			break;
114			case 3: // Family list
115			$descendants = $controller->familyDescendancy($controller->root, $controller->generations, array());
116			echo '<div id="descendancy-list">', FunctionsPrintLists::familyTable($descendants), '</div>';
			0 ignored issues – show Security Cross-Site Scripting introduced 2017-02-14 12:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this `\Fisharebest\Webtrees\Fu...milyTable($descendants)` can contain request data and is used in output context(s) leading to a potential security vulnerability. 3 paths for user data to reach this point 1. Path: Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 433 Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 433 `$newged` is assigned in edit_interface.php on line 453 `$newged` is passed through substr(), and `$newged` is assigned in edit_interface.php on line 466 `$newged` is passed to GedcomRecord::updateFact() in edit_interface.php on line 467 `$gedcom` is passed through preg_replace(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1201 `$gedcom` is passed through trim(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1202 `$new_gedcom` is assigned in app/GedcomRecord.php on line 1239 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 1258 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 504 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 595 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 619 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1263 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1263 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1309 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1359 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 828 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 842 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 360 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 797 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 116 2. Path: Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 437 Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 437 `$newged` is assigned in edit_interface.php on line 453 `$newged` is passed through substr(), and `$newged` is assigned in edit_interface.php on line 466 `$newged` is passed to GedcomRecord::updateFact() in edit_interface.php on line 467 `$gedcom` is passed through preg_replace(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1201 `$gedcom` is passed through trim(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1202 `$new_gedcom` is assigned in app/GedcomRecord.php on line 1239 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 1258 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 504 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 595 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 619 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1263 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1263 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1309 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1359 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 828 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 842 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 360 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 797 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 116 3. Path: Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 461 Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 461 `$newged` is passed through substr(), and `$newged` is assigned in edit_interface.php on line 466 `$newged` is passed to GedcomRecord::updateFact() in edit_interface.php on line 467 `$gedcom` is passed through preg_replace(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1201 `$gedcom` is passed through trim(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1202 `$new_gedcom` is assigned in app/GedcomRecord.php on line 1239 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 1258 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 504 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 595 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 619 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1263 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1263 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1309 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1359 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 828 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 842 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 360 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 797 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 116 Preventing Cross-Site-Scripting Attacks Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data: // for HTML $sanitized = htmlentities($tainted, ENT_QUOTES); // for URLs $sanitized = urlencode($tainted); General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
117			break;
118			}
119			}
120			?>
121			</div>
122

fisharebest / webtrees

Push — 1.7 ( 58a13e...2888c1 )

descendancy.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

3 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like