XssFilter::doXssClean() - Code Metrics - linpax/microphp-framework - Measure and Improve Code Quality continuously with Scrutinizer

XssFilter::doXssClean() B
last analyzed 2016-11-09 05:13 UTC

↳ Parent: XssFilter

Complexity

Conditions	6
Paths	4

Size

Total Lines	52
Code Lines	31

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	52
c	0
b	0
f	0
rs	8.6868
cc	6
eloc	31
nc	4
nop	1

How to fix Long Method

<?php /** XssFilterMicro */

namespace Micro\Filter;

/**
 * Class XssFilter
 *
 * @author Opeykin A. <andrey.opeykin.ru> &; <[email protected]>
 * @package Micro
 * @subpackage Filter
 * @version 1.0
 * @since 1.0
 */
class XssFilter extends Filter
{
    /**
     * @inheritdoc
     */
    public function pre(array $params)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        $clean = trim(strtoupper(!empty($params['clean']) ? $params['clean'] : '*'));

        $data = ['GET' => &$_GET, 'POST' => &$_POST, 'COOKIE' => &$_COOKIE, 'FILES' => &$_FILES];
        if ($clean === '*') {
            $clean = 'GET,POST,COOKIE,FILES';
        }
        $dataForClean = explode(',', $clean);

        foreach ($dataForClean as $key => &$value) {
            if (!empty($data[$key]) && count($data[$key])) {
                $value = $this->doXssClean($data[$key]);
            }
        }

        return true;
    }

    /**
     * Do XSS Clean
     *
     * @access private
     *
     * @param array $data data for check
     *
     * @return mixed
     */
    private function doXssClean($data)
    {
        if (is_array($data) && count($data)) {
            foreach ($data as $k => &$v) {
                $v = $this->doXssClean($data[$k]);
            }

            return $data;
        }

        if (trim($data) === '') {
            return $data;
        }

        // xss_clean function from Kohana framework 2.3.1
        $data = str_replace(['&amp;', '&lt;', '&gt;'], ['&amp;amp;', '&amp;lt;', '&amp;gt;'], $data);
        $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
        $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
        /** @noinspection CallableParameterUseCaseInTypeContextInspection */
        $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

        // Remove any attribute starting with "on" or xmlns
        $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

        // Remove javascript: and vbscript: protocols
        $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu',
            '$1=$2nojavascript...', $data);
        $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu',
            '$1=$2novbscript...', $data);
        $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u',
            '$1=$2nomozbinding...', $data);

        // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
        $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i',
            '$1>', $data);
        $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i',
            '$1>', $data);
        $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu',
            '$1>', $data);

        // Remove namespaced elements (we do not need them)
        $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

        do {
            // Remove really unwanted tags
            $old_data = $data;
            $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i',
                '', $data);
        } while ($old_data !== $data);

        return $data;
    }

    /**
     * @inheritdoc
     */
    public function post(array $params)
    {
        return $params['data'];
    }
}


1			<?php /** XssFilterMicro */
2
3			namespace Micro\Filter;
4
5			/**
6			* Class XssFilter
7			*
8			* @author Opeykin A. <andrey.opeykin.ru> &; <[email protected]>
9			* @package Micro
10			* @subpackage Filter
11			* @version 1.0
12			* @since 1.0
13			*/
14			class XssFilter extends Filter
15			{
16			/**
17			* @inheritdoc
18			*/
19			public function pre(array $params)
			0 ignored issues – show Coding Style introduced 2016-03-10 20:06 UTC by Report Bug Copy Issue Report `pre` uses the super-global variable `$_GET` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Coding Style introduced 2016-03-10 20:06 UTC by Report Bug Copy Issue Report `pre` uses the super-global variable `$_POST` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Coding Style introduced 2016-03-10 20:06 UTC by Report Bug Copy Issue Report `pre` uses the super-global variable `$_COOKIE` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history... Coding Style introduced 2016-03-10 20:06 UTC by Report Bug Copy Issue Report `pre` uses the super-global variable `$_FILES` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
20			{
21			$clean = trim(strtoupper(!empty($params['clean']) ? $params['clean'] : '*'));
22
23			$data = ['GET' => &$_GET, 'POST' => &$_POST, 'COOKIE' => &$_COOKIE, 'FILES' => &$_FILES];
24			if ($clean === '*') {
25			$clean = 'GET,POST,COOKIE,FILES';
26			}
27			$dataForClean = explode(',', $clean);
28
29			foreach ($dataForClean as $key => &$value) {
30			if (!empty($data[$key]) && count($data[$key])) {
31			$value = $this->doXssClean($data[$key]);
32			}
33			}
34
35			return true;
36			}
37
38			/**
39			* Do XSS Clean
40			*
41			* @access private
42			*
43			* @param array $data data for check
44			*
45			* @return mixed
46			*/
47			private function doXssClean($data)
48			{
49			if (is_array($data) && count($data)) {
50			foreach ($data as $k => &$v) {
51			$v = $this->doXssClean($data[$k]);
52			}
53
54			return $data;
55			}
56
57			if (trim($data) === '') {
58			return $data;
59			}
60
61			// xss_clean function from Kohana framework 2.3.1
62			$data = str_replace(['&', '<', '>'], ['&amp;', '&lt;', '&gt;'], $data);
63			$data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
64			$data = preg_replace('/(&#x[0-9A-F]+);/iu', '$1;', $data);
65			/** @noinspection CallableParameterUseCaseInTypeContextInspection */
66			$data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');
67
68			// Remove any attribute starting with "on" or xmlns
69			$data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on\|xmlns)[^>]*+>#iu', '$1>', $data);
70
71			// Remove javascript: and vbscript: protocols
72			$data = preg_replace('#([a-z])[\x00-\x20]=[\x00-\x20]([`\'"])[\x00-\x20]j[\x00-\x20]a[\x00-\x20]v[\x00-\x20]a[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]*:#iu',
73			'$1=$2nojavascript...', $data);
74			$data = preg_replace('#([a-z])[\x00-\x20]=([\'"])[\x00-\x20]v[\x00-\x20]b[\x00-\x20]s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:#iu',
75			'$1=$2novbscript...', $data);
76			$data = preg_replace('#([a-z])[\x00-\x20]=([\'"])[\x00-\x20]-moz-binding[\x00-\x20]*:#u',
77			'$1=$2nomozbinding...', $data);
78
79			// Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
80			$data = preg_replace('#(<[^>]+?)style[\x00-\x20]=[\x00-\x20][`\'"].?expression[\x00-\x20]\([^>]+>#i',
81			'$1>', $data);
82			$data = preg_replace('#(<[^>]+?)style[\x00-\x20]=[\x00-\x20][`\'"].?behaviour[\x00-\x20]\([^>]+>#i',
83			'$1>', $data);
84			$data = preg_replace('#(<[^>]+?)style[\x00-\x20]=[\x00-\x20][`\'"].?s[\x00-\x20]c[\x00-\x20]r[\x00-\x20]i[\x00-\x20]p[\x00-\x20]t[\x00-\x20]:[^>]+>#iu',
85			'$1>', $data);
86
87			// Remove namespaced elements (we do not need them)
88			$data = preg_replace('#</\w+:\w[^>]+>#i', '', $data);
89
90			do {
91			// Remove really unwanted tags
92			$old_data = $data;
93			$data = preg_replace('#</(?:applet\|b(?:ase\|gsound\|link)\|embed\|frame(?:set)?\|i(?:frame\|layer)\|l(?:ayer\|ink)\|meta\|object\|s(?:cript\|tyle)\|title\|xml)[^>]+>#i',
94			'', $data);
95			} while ($old_data !== $data);
96
97			return $data;
98			}
99
100			/**
101			* @inheritdoc
102			*/
103			public function post(array $params)
104			{
105			return $params['data'];
106			}
107			}
108

linpax / microphp-framework

XssFilter::doXssClean() B last analyzed 2016-11-09 05:13 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like

XssFilter::doXssClean() B
last analyzed 2016-11-09 05:13 UTC