Issues in descendancy.php - Fixed Issues - Inspection of "XREFs created via raw editing need to be escaped" - fisharebest/webtrees - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( e80729...78b87e )

by Greg

created 2017-06-18 14:04 UTC

descendancy.php (1 issue)

Labels

Security 1

Severity

Critical 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * webtrees: online genealogy
 * Copyright (C) 2017 webtrees development team
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 */
namespace Fisharebest\Webtrees;

use Fisharebest\Webtrees\Controller\DescendancyController;
use Fisharebest\Webtrees\Functions\FunctionsEdit;
use Fisharebest\Webtrees\Functions\FunctionsPrintLists;

require 'includes/session.php';

$controller = new DescendancyController;
$controller->restrictAccess(Module::isActiveChart($controller->tree(), 'descendancy_chart'));

// Only generate the content for interactive users (not search robots).
if (Filter::getBool('ajax') && Session::has('initiated')) {
	switch ($controller->chart_style) {
	case 0: // List
		echo '<ul id="descendancy_chart" class="chart_common">';
		$controller->printChildDescendancy($controller->root, $controller->generations);
		echo '</ul>';
		break;
	case 1: // Booklet
		$show_cousins = true;
		echo '<div id="descendancy_booklet">';
		$controller->printChildFamily($controller->root, $controller->generations);
		echo '</div>';
		break;
	case 2: // Individual list
		$descendants = $controller->individualDescendancy($controller->root, $controller->generations, []);
		echo '<div id="descendancy-list">', FunctionsPrintLists::individualTable($descendants), '</div>';
		break;
	case 3: // Family list
		$descendants = $controller->familyDescendancy($controller->root, $controller->generations, []);
		echo '<div id="descendancy-list">', FunctionsPrintLists::familyTable($descendants), '</div>';
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
		break;
	}

	return;
}

$controller
	->addInlineJavascript('$(".wt-page-content").load(document.location + "&ajax=1");')
	->pageHeader();

?>
<h2 class="wt-page-title"><?= $controller->getPageTitle() ?></h2>

<form class="wt-page-options wt-page-options-descendants-chart hidden-print">
	<input type="hidden" name="ged" value="<?= $controller->tree()->getNameHtml() ?>">

	<div class="row form-group">
		<label class="col-sm-3 col-form-label wt-page-options-label" for="rootid">
			<?= I18N::translate('Individual') ?>
		</label>
		<div class="col-sm-9 wt-page-options-value">
			<?= FunctionsEdit::formControlIndividual($controller->root, ['id' => 'rootid', 'name' => 'rootid']) ?>
		</div>
	</div>

	<div class="row form-group">
		<label class="col-sm-3 col-form-label wt-page-options-label" for="generations">
			<?= I18N::translate('Generations') ?>
		</label>
		<div class="col-sm-9 wt-page-options-value">
			<?= Bootstrap4::select(FunctionsEdit::numericOptions(range(2, $controller->tree()->getPreference('MAX_DESCENDANCY_GENERATIONS'))), $controller->generations, ['id' => 'generations', 'name' => 'generations']) ?>
		</div>
	</div>

	<fieldset class="form-group">
		<div class="row">
			<legend class="col-form-legend col-sm-3 wt-page-options-label">
				<?= I18N::translate('Layout') ?>
			</legend>
			<div class="col-sm-9 wt-page-options-value">
				<?= Bootstrap4::radioButtons('chart_style', ['0' => I18N::translate('List'), '1' => I18N::translate('Booklet'), '2' => I18N::translate('Individuals'), '3' => I18N::translate('Families')], $controller->chart_style, true, ['onclick' => 'statusDisable("show_cousins");']) ?>
			</div>
		</div>
	</fieldset>

	<div class="row form-group">
		<div class="col-sm-3 wt-page-options-label"></div>
		<div class="col-sm-9 wt-page-options-value">
			<input class="btn btn-primary" type="submit" value="<?= /* I18N: A button label. */ I18N::translate('view') ?>">
		</div>
	</div>
</form>

<div class="wt-ajax-load wt-page-content wt-chart wt-descendants-chart"></div>


Push — develop ( e80729...78b87e )

descendancy.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

4 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

1			<?php
2			/**
3			* webtrees: online genealogy
4			* Copyright (C) 2017 webtrees development team
5			* This program is free software: you can redistribute it and/or modify
6			* it under the terms of the GNU General Public License as published by
7			* the Free Software Foundation, either version 3 of the License, or
8			* (at your option) any later version.
9			* This program is distributed in the hope that it will be useful,
10			* but WITHOUT ANY WARRANTY; without even the implied warranty of
11			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12			* GNU General Public License for more details.
13			* You should have received a copy of the GNU General Public License
14			* along with this program. If not, see <http://www.gnu.org/licenses/>.
15			*/
16			namespace Fisharebest\Webtrees;
17
18			use Fisharebest\Webtrees\Controller\DescendancyController;
19			use Fisharebest\Webtrees\Functions\FunctionsEdit;
20			use Fisharebest\Webtrees\Functions\FunctionsPrintLists;
21
22			require 'includes/session.php';
23
24			$controller = new DescendancyController;
25			$controller->restrictAccess(Module::isActiveChart($controller->tree(), 'descendancy_chart'));
26
27			// Only generate the content for interactive users (not search robots).
28			if (Filter::getBool('ajax') && Session::has('initiated')) {
29			switch ($controller->chart_style) {
30			case 0: // List
31			echo '<ul id="descendancy_chart" class="chart_common">';
32			$controller->printChildDescendancy($controller->root, $controller->generations);
33			echo '</ul>';
34			break;
35			case 1: // Booklet
36			$show_cousins = true;
37			echo '<div id="descendancy_booklet">';
38			$controller->printChildFamily($controller->root, $controller->generations);
39			echo '</div>';
40			break;
41			case 2: // Individual list
42			$descendants = $controller->individualDescendancy($controller->root, $controller->generations, []);
43			echo '<div id="descendancy-list">', FunctionsPrintLists::individualTable($descendants), '</div>';
44			break;
45			case 3: // Family list
46			$descendants = $controller->familyDescendancy($controller->root, $controller->generations, []);
47			echo '<div id="descendancy-list">', FunctionsPrintLists::familyTable($descendants), '</div>';
			0 ignored issues – show Security Cross-Site Scripting introduced 2017-04-21 19:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this `\Fisharebest\Webtrees\Fu...milyTable($descendants)` can contain request data and is used in output context(s) leading to a potential security vulnerability. 4 paths for user data to reach this point 1. Path: Read from `$_FILES,` and `$file` is assigned in action.php on line 112 Read from `$_FILES,` and `$file` is assigned in action.php on line 112 `$gedcom` is assigned in action.php on line 148 `$gedcom` is passed to Tree::createRecord() in action.php on line 158 `$gedcom` is passed to GedcomRecord::getInstance() in app/Tree.php on line 782 `$gedcom` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 80 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 495 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 594 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 618 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1262 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1262 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1308 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1358 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 827 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 841 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 351 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 778 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 47 2. Path: Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 426 Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 426 `$newged` is assigned in edit_interface.php on line 446 `$newged` is passed through substr(), and `$newged` is assigned in edit_interface.php on line 459 `$newged` is passed to GedcomRecord::updateFact() in edit_interface.php on line 467 `$gedcom` is passed through preg_replace(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1192 `$gedcom` is passed through trim(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1193 `$new_gedcom` is assigned in app/GedcomRecord.php on line 1230 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 1249 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 495 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 594 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 618 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1262 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1262 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1308 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1358 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 827 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 841 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 351 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 778 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 47 3. Path: Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 430 Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 430 `$newged` is assigned in edit_interface.php on line 446 `$newged` is passed through substr(), and `$newged` is assigned in edit_interface.php on line 459 `$newged` is passed to GedcomRecord::updateFact() in edit_interface.php on line 467 `$gedcom` is passed through preg_replace(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1192 `$gedcom` is passed through trim(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1193 `$new_gedcom` is assigned in app/GedcomRecord.php on line 1230 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 1249 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 495 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 594 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 618 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1262 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1262 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1308 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1358 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 827 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 841 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 351 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 778 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 47 4. Path: Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 454 Read from `$_POST,` and `$newged` is assigned in edit_interface.php on line 454 `$newged` is passed through substr(), and `$newged` is assigned in edit_interface.php on line 459 `$newged` is passed to GedcomRecord::updateFact() in edit_interface.php on line 467 `$gedcom` is passed through preg_replace(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1192 `$gedcom` is passed through trim(), and `$gedcom` is assigned in app/GedcomRecord.php on line 1193 `$new_gedcom` is assigned in app/GedcomRecord.php on line 1230 GedcomRecord::$gedcom is assigned in app/GedcomRecord.php on line 1249 Tainted property GedcomRecord::$gedcom is read in app/GedcomRecord.php on line 495 GedcomRecord::privatizeGedcom() returns tainted data, and `$newgedrec` is assigned in app/Report/ReportParserGenerate.php on line 594 ReportParserGenerate::$gedrec is assigned in app/Report/ReportParserGenerate.php on line 618 Tainted property ReportParserGenerate::$gedrec is read in app/Report/ReportParserGenerate.php on line 1262 Data is passed through explode() in vendor/app/Functions/Functions.php on line 160 `$thisSubrecord` is assigned in vendor/app/Functions/Functions.php on line 161 Data is passed through substr() in vendor/app/Functions/Functions.php on line 167 ReportParserGenerate::$desc is assigned in app/Report/ReportParserGenerate.php on line 1262 Tainted property ReportParserGenerate::$desc is read, and `$value` is assigned in app/Report/ReportParserGenerate.php on line 1308 ReportParserGenerate::$vars is assigned in app/Report/ReportParserGenerate.php on line 1358 Tainted property ReportParserGenerate::$vars is read, and `$id` is assigned in app/Report/ReportParserGenerate.php on line 827 `$id` is passed to GedcomRecord::getInstance() in app/Report/ReportParserGenerate.php on line 841 `$xref` is passed to GedcomRecord::__construct() in app/GedcomRecord.php on line 202 GedcomRecord::$xref is assigned in app/GedcomRecord.php on line 79 Tainted property GedcomRecord::$xref is read in app/GedcomRecord.php on line 280 GedcomRecord::getXref() returns tainted data in app/GedcomRecord.php on line 351 GedcomRecord::getLinkUrl() returns tainted data in app/GedcomRecord.php on line 330 GedcomRecord::getHtmlUrl() returns tainted data, and `$html` is assigned in app/Functions/FunctionsPrintLists.php on line 778 FunctionsPrintLists::familyTable() returns tainted data in descendancy.php on line 47 Preventing Cross-Site-Scripting Attacks Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data: // for HTML $sanitized = htmlentities($tainted, ENT_QUOTES); // for URLs $sanitized = urlencode($tainted); General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
48			break;
49			}
50
51			return;
52			}
53
54			$controller
55			->addInlineJavascript('$(".wt-page-content").load(document.location + "&ajax=1");')
56			->pageHeader();
57
58			?>
59			<h2 class="wt-page-title"><?= $controller->getPageTitle() ?></h2>
60
61			<form class="wt-page-options wt-page-options-descendants-chart hidden-print">
62			<input type="hidden" name="ged" value="<?= $controller->tree()->getNameHtml() ?>">
63
64			<div class="row form-group">
65			<label class="col-sm-3 col-form-label wt-page-options-label" for="rootid">
66			<?= I18N::translate('Individual') ?>
67			</label>
68			<div class="col-sm-9 wt-page-options-value">
69			<?= FunctionsEdit::formControlIndividual($controller->root, ['id' => 'rootid', 'name' => 'rootid']) ?>
70			</div>
71			</div>
72
73			<div class="row form-group">
74			<label class="col-sm-3 col-form-label wt-page-options-label" for="generations">
75			<?= I18N::translate('Generations') ?>
76			</label>
77			<div class="col-sm-9 wt-page-options-value">
78			<?= Bootstrap4::select(FunctionsEdit::numericOptions(range(2, $controller->tree()->getPreference('MAX_DESCENDANCY_GENERATIONS'))), $controller->generations, ['id' => 'generations', 'name' => 'generations']) ?>
79			</div>
80			</div>
81
82			<fieldset class="form-group">
83			<div class="row">
84			<legend class="col-form-legend col-sm-3 wt-page-options-label">
85			<?= I18N::translate('Layout') ?>
86			</legend>
87			<div class="col-sm-9 wt-page-options-value">
88			<?= Bootstrap4::radioButtons('chart_style', ['0' => I18N::translate('List'), '1' => I18N::translate('Booklet'), '2' => I18N::translate('Individuals'), '3' => I18N::translate('Families')], $controller->chart_style, true, ['onclick' => 'statusDisable("show_cousins");']) ?>
89			</div>
90			</div>
91			</fieldset>
92
93			<div class="row form-group">
94			<div class="col-sm-3 wt-page-options-label"></div>
95			<div class="col-sm-9 wt-page-options-value">
96			<input class="btn btn-primary" type="submit" value="<?= /* I18N: A button label. */ I18N::translate('view') ?>">
97			</div>
98			</div>
99			</form>
100
101			<div class="wt-ajax-load wt-page-content wt-chart wt-descendants-chart"></div>
102

fisharebest / webtrees

Push — develop ( e80729...78b87e )

descendancy.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

4 paths for user data to reach this point

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like