Issues in compare.php - New Issues - Inspection of "remove whitespace" - mosbth/cimage - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( b871dd...c32ae6 )

by Mikael

created 2015-12-06 11:18 UTC

webroot/compare/compare.php (9 issues)

Labels

Security 9

Severity

Critical 9

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<!doctype html>
<html lang=en>
<head>
<style>

body {
}

input[type=text] {
    width: 400px;
}

.hidden {
    display: none;
}

#wrap {
    position: relative;
    overflow: visible;

}

.stack {
    position: absolute;
    left: 0;
    top: 0;
}

.area {
    float: left;
    padding: 1em;
    background-color: #eee;
}

.invert {
    background-color: #666;
    color: white;
}

.json {
    min-height: 100px;
}

.top {
    z-index: 10;
}

</style>
</head>

<body>
<h1>Compare images</h1>
<p>Add link to images and visually compare them. Change the link och press return to load the image. Add <code>&amp;black</code> to the querystring to get a black background. <a href="http://dbwebb.se/opensource/cimage">Read more...</a></p>

<p><a id="permalink" href="?">Direct link to this setup.</a></p>

<form>
    <p>
        <label>Image 1: <input type="text" id="input1" data-id="1"></label> <img id="thumb1"></br>
        <label>Image 2: <input type="text" id="input2" data-id="2"></label> <img id="thumb2"></br>
        <label>Image 3: <input type="text" id="input3" data-id="3"></label> <img id="thumb3"></br>
        <label>Image 4: <input type="text" id="input4" data-id="4"></label> <img id="thumb4"></br>
        <label>Image 5: <input type="text" id="input5" data-id="5"></label> <img id="thumb5"></br>
        <label>Image 6: <input type="text" id="input6" data-id="6"></label> <img id="thumb6"></br>
        <label><input type="checkbox" id="viewDetails">Show image details</label><br/>
        <label><input type="checkbox" id="stack">Stack images?</label><br/>
        <label><input type="checkbox" id="bg">Dark background?</label>
    </p>
</form>

<div id="buttonWrap" class="hidden">
    <button id="button1" class="button" data-id="1">Image 1</button>
    <button id="button2" class="button" data-id="2">Image 2</button>
    <button id="button3" class="button" data-id="3">Image 3</button>
    <button id="button4" class="button" data-id="4">Image 4</button>
    <button id="button5" class="button" data-id="5">Image 5</button>
    <button id="button6" class="button" data-id="6">Image 6</button>
</div>

<div id="wrap">

    <div id="area1" class="area">
        <code>Image 1</code><br>
        <img id="img1">
        <pre id="json1" class="json hidden"></pre>
    </div>

    <div id="area2" class="area">
        <code>Image 2</code><br>
        <img id="img2">
        <pre id="json2" class="json hidden"></pre>
    </div>

    <div id="area3" class="area">
        <code>Image 3</code><br>
        <img id="img3">
        <pre id="json3" class="json hidden"></pre>
    </div>

    <div id="area4" class="area">
        <code>Image 4</code><br>
        <img id="img4">
        <pre id="json4" class="json hidden"></pre>
    </div>

    <div id="area5" class="area">
        <code>Image 5</code><br>
        <img id="img5">
        <pre id="json5" class="json hidden"></pre>
    </div>

    <div id="area6" class="area">
        <code>Image 6</code><br>
        <img id="img6">
        <pre id="json6" class="json hidden"></pre>
    </div>

</div>


</body>

<script src="https://code.jquery.com/jquery-2.1.1.min.js"></script>
<script src="../js/cimage.js"></script>
<script>
<?php
if (isset($_GET['input1'])) {
    // Use incoming from querystring as defaults
?>
    CImage.compare({
        "input1": "<?=$_GET['input1']?>",
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "input2": "<?=$_GET['input2']?>",
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "input3": "<?=$_GET['input3']?>",
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "input4": "<?=$_GET['input4']?>",
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "input5": "<?=$_GET['input5']?>",
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "input6": "<?=$_GET['input6']?>",
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "json": <?=$_GET['json']?>,
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "stack": <?=$_GET['stack']?>,
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        "bg": <?=$_GET['bg']?>
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
    });
<?php
} elseif (isset($script)) {
    // Use default setup from js configuration
    echo $script;
} else {
    // Use defaults
    echo "CImage.compare({});";
} ?>
</script>

</html>


1			<!doctype html>
2			<html lang=en>
3			<head>
4			<style>
5
6			body {
7			}
8
9			input[type=text] {
10			width: 400px;
11			}
12
13			.hidden {
14			display: none;
15			}
16
17			#wrap {
18			position: relative;
19			overflow: visible;
20
21			}
22
23			.stack {
24			position: absolute;
25			left: 0;
26			top: 0;
27			}
28
29			.area {
30			float: left;
31			padding: 1em;
32			background-color: #eee;
33			}
34
35			.invert {
36			background-color: #666;
37			color: white;
38			}
39
40			.json {
41			min-height: 100px;
42			}
43
44			.top {
45			z-index: 10;
46			}
47
48			</style>
49			</head>
50
51			<body>
52			<h1>Compare images</h1>
53			<p>Add link to images and visually compare them. Change the link och press return to load the image. Add <code>&black</code> to the querystring to get a black background. <a href="http://dbwebb.se/opensource/cimage">Read more...</a></p>
54
55			<p><a id="permalink" href="?">Direct link to this setup.</a></p>
56
57			<form>
58			<p>
59			<label>Image 1: <input type="text" id="input1" data-id="1"></label> <img id="thumb1"></br>
60			<label>Image 2: <input type="text" id="input2" data-id="2"></label> <img id="thumb2"></br>
61			<label>Image 3: <input type="text" id="input3" data-id="3"></label> <img id="thumb3"></br>
62			<label>Image 4: <input type="text" id="input4" data-id="4"></label> <img id="thumb4"></br>
63			<label>Image 5: <input type="text" id="input5" data-id="5"></label> <img id="thumb5"></br>
64			<label>Image 6: <input type="text" id="input6" data-id="6"></label> <img id="thumb6"></br>
65			<label><input type="checkbox" id="viewDetails">Show image details</label><br/>
66			<label><input type="checkbox" id="stack">Stack images?</label><br/>
67			<label><input type="checkbox" id="bg">Dark background?</label>
68			</p>
69			</form>
70
71			<div id="buttonWrap" class="hidden">
72			<button id="button1" class="button" data-id="1">Image 1</button>
73			<button id="button2" class="button" data-id="2">Image 2</button>
74			<button id="button3" class="button" data-id="3">Image 3</button>
75			<button id="button4" class="button" data-id="4">Image 4</button>
76			<button id="button5" class="button" data-id="5">Image 5</button>
77			<button id="button6" class="button" data-id="6">Image 6</button>
78			</div>
79
80			<div id="wrap">
81
82			<div id="area1" class="area">
83			<code>Image 1</code><br>
84			<img id="img1">
85			<pre id="json1" class="json hidden"></pre>
86			</div>
87
88			<div id="area2" class="area">
89			<code>Image 2</code><br>
90			<img id="img2">
91			<pre id="json2" class="json hidden"></pre>
92			</div>
93
94			<div id="area3" class="area">
95			<code>Image 3</code><br>
96			<img id="img3">
97			<pre id="json3" class="json hidden"></pre>
98			</div>
99
100			<div id="area4" class="area">
101			<code>Image 4</code><br>
102			<img id="img4">
103			<pre id="json4" class="json hidden"></pre>
104			</div>
105
106			<div id="area5" class="area">
107			<code>Image 5</code><br>
108			<img id="img5">
109			<pre id="json5" class="json hidden"></pre>
110			</div>
111
112			<div id="area6" class="area">
113			<code>Image 6</code><br>
114			<img id="img6">
115			<pre id="json6" class="json hidden"></pre>
116			</div>
117
118			</div>
119
120
121			</body>
122
123			<script src="https://code.jquery.com/jquery-2.1.1.min.js"></script>
124			<script src="../js/cimage.js"></script>
125			<script>
126			<?php
127			if (isset($_GET['input1'])) {
128			// Use incoming from querystring as defaults
129			?>
130			CImage.compare({
131			"input1": "<?=$_GET['input1']?>",
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['input1']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
132			"input2": "<?=$_GET['input2']?>",
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['input2']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
133			"input3": "<?=$_GET['input3']?>",
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['input3']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
134			"input4": "<?=$_GET['input4']?>",
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['input4']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
135			"input5": "<?=$_GET['input5']?>",
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['input5']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
136			"input6": "<?=$_GET['input6']?>",
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['input6']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
137			"json": <?=$_GET['json']?>,
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['json']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
138			"stack": <?=$_GET['stack']?>,
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['stack']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
139			"bg": <?=$_GET['bg']?>
			0 ignored issues – show Security Cross-Site Scripting introduced 2015-12-05 13:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$_GET['bg']` can contain request data and is used in html attribute with double-quotes context(s) leading to a potential security vulnerability. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
140			});
141			<?php
142			} elseif (isset($script)) {
143			// Use default setup from js configuration
144			echo $script;
145			} else {
146			// Use defaults
147			echo "CImage.compare({});";
148			} ?>
149			</script>
150
151			</html>
152

mosbth / cimage

Push — master ( b871dd...c32ae6 )

webroot/compare/compare.php (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like