fisharebest /
webtrees
| Conditions | 9 |
| Paths | 9 |
| Total Lines | 39 |
| Code Lines | 34 |
| Lines | 37 |
| Ratio | 94.87 % |
| Changes | 0 | ||
| Metric | Value |
|---|---|
| cc | 9 |
| eloc | 34 |
| nc | 9 |
| nop | 2 |
| dl | 37 |
| loc | 39 |
| rs | 4.909 |
| c | 0 |
| b | 0 |
| f | 0 |
| 1 | <?php |
||
|
0 ignored issues
–
show
|
|||
| 2 | /** |
||
| 3 | * webtrees: online genealogy |
||
| 4 | * Copyright (C) 2017 webtrees development team |
||
| 5 | * This program is free software: you can redistribute it and/or modify |
||
| 6 | * it under the terms of the GNU General Public License as published by |
||
| 7 | * the Free Software Foundation, either version 3 of the License, or |
||
| 8 | * (at your option) any later version. |
||
| 9 | * This program is distributed in the hope that it will be useful, |
||
| 10 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
| 11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
| 12 | * GNU General Public License for more details. |
||
| 13 | * You should have received a copy of the GNU General Public License |
||
| 14 | * along with this program. If not, see <http://www.gnu.org/licenses/>. |
||
| 15 | */ |
||
| 16 | namespace Fisharebest\Webtrees; |
||
| 17 | |||
| 18 | /** |
||
| 19 | * Defined in edit_interface.php |
||
| 20 | * |
||
| 21 | * @global Individual $person |
||
| 22 | */ |
||
| 23 | global $person; |
||
|
0 ignored issues
–
show
Use of
global functionality is not recommended; it makes your code harder to test, and less reusable.
Instead of relying on 1. Pass all data via parametersfunction myFunction($a, $b) {
// Do something
}
2. Create a class that maintains your stateclass MyClass {
private $a;
private $b;
public function __construct($a, $b) {
$this->a = $a;
$this->b = $b;
}
public function myFunction() {
// Do something
}
}
 Loading history...
|
|||
| 24 | /** |
||
| 25 | * Defined in edit_interface.php |
||
| 26 | * |
||
| 27 | * @global Controller\PageController $controller |
||
| 28 | */ |
||
| 29 | global $controller; |
||
|
0 ignored issues
–
show
Use of
global functionality is not recommended; it makes your code harder to test, and less reusable.
Instead of relying on 1. Pass all data via parametersfunction myFunction($a, $b) {
// Do something
}
2. Create a class that maintains your stateclass MyClass {
private $a;
private $b;
public function __construct($a, $b) {
$this->a = $a;
$this->b = $b;
}
public function myFunction() {
// Do something
}
}
Loading history...
|
|||
| 30 | |||
| 31 | ?> |
||
| 32 | <style> |
||
| 33 | /* Outer border around nav elements */ |
||
| 34 | .outer_nav { |
||
| 35 | border: 3px #808080 outset; |
||
| 36 | } |
||
| 37 | |||
| 38 | /* top Search box */ |
||
| 39 | input[type='text'] { |
||
| 40 | background: #fff; |
||
| 41 | color: #000; |
||
| 42 | border: 1px solid #000; |
||
| 43 | width: 120px; |
||
| 44 | } |
||
| 45 | |||
| 46 | /* "Head" button images */ |
||
| 47 | .headimg { |
||
| 48 | margin-top: -4px; |
||
| 49 | border: 0; |
||
| 50 | } |
||
| 51 | |||
| 52 | /* Prevents clickable td for Search <td> */ |
||
| 53 | td #srch a { |
||
| 54 | display: inline; |
||
| 55 | } |
||
| 56 | </style> |
||
| 57 | <div id="media-links"> |
||
| 58 | <table class="center"> |
||
| 59 | <tr> |
||
| 60 | <td class="topbottombar"> |
||
| 61 | <b><?= $controller->getPageTitle() ?></b> |
||
| 62 | </td> |
||
| 63 | </tr> |
||
| 64 | <tr> |
||
| 65 | <td> |
||
| 66 | <table class="outer_nav"> |
||
| 67 | <tr> |
||
| 68 | <th class="descriptionbox"><?= I18N::translate('Find an individual') ?></th> |
||
| 69 | </tr> |
||
| 70 | <tr> |
||
| 71 | <td id="srch" class="optionbox center"> |
||
| 72 | <script> |
||
| 73 | function findindi() { |
||
| 74 | var findInput = document.getElementById('personid'); |
||
| 75 | var txt = findInput.value; |
||
| 76 | if (txt === "") { |
||
| 77 | alert("<?= I18N::translate('You must enter a name') ?>"); |
||
| 78 | } else { |
||
| 79 | window.open("module.php?mod=GEDFact_assistant&mod_action=media_find&callback=paste_id&action=filter&type=indi&multiple=&filter=" + txt, "win02", "resizable=1, menubar=0, scrollbars=1, top=180, left=600, height=600, width=450 ").focus(); |
||
| 80 | } |
||
| 81 | } |
||
| 82 | </script> |
||
| 83 | <input id="personid" type="text" value=""> |
||
| 84 | <a type="submit" onclick="findindi();"> |
||
| 85 | <?= I18N::translate('Search') ?> |
||
| 86 | </a> |
||
| 87 | </td> |
||
| 88 | </tr> |
||
| 89 | <tr> |
||
| 90 | <td> |
||
| 91 | <table width="100%" class="fact_table" cellspacing="0" border="0"> |
||
| 92 | <tr> |
||
| 93 | <td colspan=3 class="descriptionbox wrap"> |
||
| 94 | <i class="headimg vmiddle icon-button_head"></i> |
||
| 95 | <?= I18N::translate('View this family') ?> |
||
| 96 | </td> |
||
| 97 | </tr> |
||
| 98 | <?php |
||
| 99 | foreach ($person->getChildFamilies() as $family) { |
||
| 100 | echo '<tr><th colspan="2">', $family->getFullName(), '</td></tr>'; |
||
| 101 | print_navigator_family($family, $person); |
||
| 102 | } |
||
| 103 | |||
| 104 | foreach ($person->getChildStepFamilies() as $family) { |
||
| 105 | echo '<tr><th colspan="2">', $family->getFullName(), '</td></tr>'; |
||
| 106 | print_navigator_family($family, $person); |
||
| 107 | } |
||
| 108 | |||
| 109 | foreach ($person->getSpouseFamilies() as $family) { |
||
| 110 | echo '<tr><th colspan="2">', $family->getFullName(), '</td></tr>'; |
||
| 111 | print_navigator_family($family, $person); |
||
| 112 | } |
||
| 113 | ?> |
||
| 114 | </table> |
||
| 115 | </td> |
||
| 116 | </tr> |
||
| 117 | </table> |
||
| 118 | </td> |
||
| 119 | </tr> |
||
| 120 | </table> |
||
| 121 | </div> |
||
| 122 | <?php |
||
| 123 | |||
| 124 | /** |
||
| 125 | * Display family members with clickable links |
||
| 126 | * |
||
| 127 | * @param Family $family |
||
| 128 | * @param Individual $individual |
||
| 129 | */ |
||
| 130 | function print_navigator_family(Family $family, Individual $individual) { |
||
| 131 | View Code Duplication | foreach ($family->getSpouses() as $spouse) { |
|
| 132 | ?> |
||
| 133 | <tr> |
||
| 134 | <td> |
||
| 135 | <a href="#" onclick="opener.insertRowToTable('<?= $spouse->getXref() ?>', '<?= Html::escape($spouse->getFullName()) ?>', '', '', '', '', '', '', '', ''); return false;"> |
||
|
0 ignored issues
–
show
$spouse->getXref() can contain request data and is used in html attribute with single-quotes context(s) leading to a potential security vulnerability.
11 paths for user data to reach this point
1. Path:
$this->parameters['HTTP_AUTHORIZATION'] seems to return tainted data, and $authorizationHeader is assigned
in ServerBag.php on line 62
2. Path:
Read from
$_POST, and $_POST is passed to Request::createRequestFromFactory()
in Request.php on line 314
4. Path:
Fetching key
HTTP_CONTENT_LENGTH from $_SERVER, and $server is assigned
in Request.php on line 307
5. Path:
Fetching key
HTTP_CONTENT_TYPE from $_SERVER, and $server is assigned
in Request.php on line 310
6. Path:
$server['HTTP_HOST'] seems to return tainted data, and $server is assigned
in Request.php on line 380
7. Path:
$this->parameters['PHP_AUTH_USER'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 43
8. Path:
$this->parameters['PHP_AUTH_PW'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 44
Preventing Cross-Site-Scripting AttacksCross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data:
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);
// for URLs
$sanitized = urlencode($tainted);
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
Loading history...
|
|||
| 136 | <?= $spouse === $individual ? '<b>' : '' ?> |
||
| 137 | <?= $spouse->getFullName() ?> <?= $spouse->getLifeSpan() ?> |
||
| 138 | <?= $spouse === $individual ? '</b>' : '' ?> |
||
| 139 | </a> |
||
| 140 | </td> |
||
| 141 | <td> |
||
| 142 | <?php if ($individual !== $spouse): ?> |
||
| 143 | <a href="edit_interface.php?action=addmedia_links&noteid=newnote&pid=<?= $spouse->getXref() ?>&gedcom=<?= $spouse->getTree()->getNameUrl() ?>"> |
||
|
0 ignored issues
–
show
$spouse->getXref() can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability.
11 paths for user data to reach this point
1. Path:
$this->parameters['HTTP_AUTHORIZATION'] seems to return tainted data, and $authorizationHeader is assigned
in ServerBag.php on line 62
2. Path:
Read from
$_POST, and $_POST is passed to Request::createRequestFromFactory()
in Request.php on line 314
4. Path:
Fetching key
HTTP_CONTENT_LENGTH from $_SERVER, and $server is assigned
in Request.php on line 307
5. Path:
Fetching key
HTTP_CONTENT_TYPE from $_SERVER, and $server is assigned
in Request.php on line 310
6. Path:
$server['HTTP_HOST'] seems to return tainted data, and $server is assigned
in Request.php on line 380
7. Path:
$this->parameters['PHP_AUTH_USER'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 43
8. Path:
$this->parameters['PHP_AUTH_PW'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 44
Preventing Cross-Site-Scripting AttacksCross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data:
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);
// for URLs
$sanitized = urlencode($tainted);
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
Loading history...
|
|||
| 144 | <i class="headimg vmiddle icon-button_head"></i> |
||
| 145 | </a> |
||
| 146 | <?php endif ?> |
||
| 147 | </td> |
||
| 148 | <tr> |
||
| 149 | <?php |
||
| 150 | } |
||
| 151 | |||
| 152 | View Code Duplication | foreach ($family->getChildren() as $child) { |
|
| 153 | ?> |
||
| 154 | <tr> |
||
| 155 | <td> |
||
| 156 | <a href="#" onclick="opener.insertRowToTable('<?= $child->getXref() ?>', '<?= Html::escape($child->getFullName()) ?>', '', '', '', '', '', '', '', ''); return false;"> |
||
|
0 ignored issues
–
show
$child->getXref() can contain request data and is used in html attribute with single-quotes context(s) leading to a potential security vulnerability.
11 paths for user data to reach this point
1. Path:
$this->parameters['HTTP_AUTHORIZATION'] seems to return tainted data, and $authorizationHeader is assigned
in ServerBag.php on line 62
2. Path:
Read from
$_POST, and $_POST is passed to Request::createRequestFromFactory()
in Request.php on line 314
4. Path:
Fetching key
HTTP_CONTENT_LENGTH from $_SERVER, and $server is assigned
in Request.php on line 307
5. Path:
Fetching key
HTTP_CONTENT_TYPE from $_SERVER, and $server is assigned
in Request.php on line 310
6. Path:
$server['HTTP_HOST'] seems to return tainted data, and $server is assigned
in Request.php on line 380
7. Path:
$this->parameters['PHP_AUTH_USER'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 43
8. Path:
$this->parameters['PHP_AUTH_PW'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 44
Preventing Cross-Site-Scripting AttacksCross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data:
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);
// for URLs
$sanitized = urlencode($tainted);
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
Loading history...
|
|||
| 157 | <?= $child === $individual ? '<b>' : '' ?> |
||
| 158 | <?= $child->getFullName() ?> <?= $child->getLifeSpan() ?> |
||
| 159 | <?= $child === $individual ? '</b>' : '' ?> |
||
| 160 | </a> |
||
| 161 | </td> |
||
| 162 | <td> |
||
| 163 | <?php if ($individual !== $child): ?> |
||
| 164 | <a href="edit_interface.php?action=addmedia_links&noteid=newnote&pid=<?= $child->getXref() ?>&gedcom=<?= $child->getTree()->getNameUrl() ?>"> |
||
|
0 ignored issues
–
show
$child->getXref() can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability.
11 paths for user data to reach this point
1. Path:
$this->parameters['HTTP_AUTHORIZATION'] seems to return tainted data, and $authorizationHeader is assigned
in ServerBag.php on line 62
2. Path:
Read from
$_POST, and $_POST is passed to Request::createRequestFromFactory()
in Request.php on line 314
4. Path:
Fetching key
HTTP_CONTENT_LENGTH from $_SERVER, and $server is assigned
in Request.php on line 307
5. Path:
Fetching key
HTTP_CONTENT_TYPE from $_SERVER, and $server is assigned
in Request.php on line 310
6. Path:
$server['HTTP_HOST'] seems to return tainted data, and $server is assigned
in Request.php on line 380
7. Path:
$this->parameters['PHP_AUTH_USER'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 43
8. Path:
$this->parameters['PHP_AUTH_PW'] seems to return tainted data, and $headers is assigned
in ServerBag.php on line 44
Preventing Cross-Site-Scripting AttacksCross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data:
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);
// for URLs
$sanitized = urlencode($tainted);
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
Loading history...
|
|||
| 165 | <i class="headimg vmiddle icon-button_head"></i> |
||
| 166 | </a> |
||
| 167 | <?php endif ?> |
||
| 168 | </td> |
||
| 169 | </tr> |
||
| 170 | <?php |
||
| 171 | } |
||
| 172 | } |
||
| 173 |
The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file.
The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place.
To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1.