Filter::XSSFilter() - Code Metrics - Inspection of "[improvement] XSSFilter recursive implementation f..." - panique/huge - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — develop (#858)

by Kris

created 2017-04-26 16:18 UTC

Filter::XSSFilter() B

↳ Parent: Filter

Complexity

Conditions	5
Paths	3

Size

Total Lines	25
Code Lines	7

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	25
rs	8.439
c	0
b	0
f	0
cc	5
eloc	7
nc	3
nop	1

<?php

/**
 * Class Filter
 *
 * This is the place to put filters, usually methods that cleans, sorts and, well, filters stuff.
 */
class Filter
namespace YourVendor;

class YourClass { }
{
    /**
     * The XSS filter: This simply removes "code" from any data, used to prevent Cross-Site Scripting Attacks.
     *
     * A very simple introduction: Let's say an attackers changes its username from "John" to these lines:
     * "<script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>"
     * This means, every user's browser would render "John" anymore, instead interpreting this JavaScript code, calling
     * the delete.php, in this case inside the project, in worse scenarios something like performing a bank transaction
     * or sending your cookie data (containing your remember-me-token) to somebody else.
     *
     * What is XSS ?
     * @see http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-%28XSS%29.html
     *
     * Deeper information:
     * @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
     *
     * XSSFilter expects a value, checks if the value is a string, and if so, encodes typical script tag chars to 
     * harmless HTML (you'll see the code, it wil not be interpreted). Then the method checks if the value is an array, 
     * or an object and if so, makes sure all its string content is encoded (recursive call on its values).
     * Note that this method uses reference to the assed variable, not a copy, meaning you can use this methods like this:
     *
     * CORRECT: Filter::XSSFilter($myVariable);
     * WRONG: $myVariable = Filter::XSSFilter($myVariable);
     *
     * This works like some other popular PHP functions, for example sort().
     * @see http://php.net/manual/en/function.sort.php
     *
     * @see http://stackoverflow.com/questions/1676897/what-does-it-mean-to-start-a-php-function-with-an-ampersand
     * @see http://php.net/manual/en/language.references.pass.php
     *
     * FYI: htmlspecialchars() does this (from PHP docs):
     *
     * '&' (ampersand) becomes '&amp;'
     * '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set.
     * "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set.
     * '<' (less than) becomes '&lt;'
     * '>' (greater than) becomes '&gt;'
     *
     * @see http://www.php.net/manual/en/function.htmlspecialchars.php
     *
     * @param  $value    The value to be filtered
     * @return mixed    
     */
    public static function XSSFilter(&$value)
    {
        // if argument is a string, filters that string
        if (is_string($value)) {
            $value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');

        // if argument is an array or an object, 
        // recursivly filters its content 
        } else if (is_array($value) || is_object($value)) {

            /** 
             * Make sure the element is passed by reference,
             * In PHP 7, foreach does not use the internal array pointer. 
             * In order to be able to directly modify array elements within the loop 
             * precede $value with &. In that case the value will be assigned by reference. 
             * @see http://php.net/manual/en/control-structures.foreach.php
             */
            foreach ($value as &$valueInValue) {
                self::XSSFilter($valueInValue);
            }
        }

        // other types are untouched
        return $value;
    }
}


1			<?php
2
3			/**
4			* Class Filter
5			*
6			* This is the place to put filters, usually methods that cleans, sorts and, well, filters stuff.
7			*/
8			class Filter
			0 ignored issues – show Coding Style Compatibility introduced 2015-11-21 00:55 UTC by Report Bug Copy Issue Report PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
9			{
10			/**
11			* The XSS filter: This simply removes "code" from any data, used to prevent Cross-Site Scripting Attacks.
12			*
13			* A very simple introduction: Let's say an attackers changes its username from "John" to these lines:
14			* "<script>var http = new XMLHttpRequest(); http.open('POST', 'example.com/my_account/delete.php', true);</script>"
15			* This means, every user's browser would render "John" anymore, instead interpreting this JavaScript code, calling
16			* the delete.php, in this case inside the project, in worse scenarios something like performing a bank transaction
17			* or sending your cookie data (containing your remember-me-token) to somebody else.
18			*
19			* What is XSS ?
20			* @see http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-%28XSS%29.html
21			*
22			* Deeper information:
23			* @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
24			*
25			* XSSFilter expects a value, checks if the value is a string, and if so, encodes typical script tag chars to
26			* harmless HTML (you'll see the code, it wil not be interpreted). Then the method checks if the value is an array,
27			* or an object and if so, makes sure all its string content is encoded (recursive call on its values).
28			* Note that this method uses reference to the assed variable, not a copy, meaning you can use this methods like this:
29			*
30			* CORRECT: Filter::XSSFilter($myVariable);
31			* WRONG: $myVariable = Filter::XSSFilter($myVariable);
32			*
33			* This works like some other popular PHP functions, for example sort().
34			* @see http://php.net/manual/en/function.sort.php
35			*
36			* @see http://stackoverflow.com/questions/1676897/what-does-it-mean-to-start-a-php-function-with-an-ampersand
37			* @see http://php.net/manual/en/language.references.pass.php
38			*
39			* FYI: htmlspecialchars() does this (from PHP docs):
40			*
41			* '&' (ampersand) becomes '&'
42			* '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
43			* "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
44			* '<' (less than) becomes '<'
45			* '>' (greater than) becomes '>'
46			*
47			* @see http://www.php.net/manual/en/function.htmlspecialchars.php
48			*
49			* @param $value The value to be filtered
50			* @return mixed
51			*/
52			public static function XSSFilter(&$value)
53			{
54			// if argument is a string, filters that string
55			if (is_string($value)) {
56			$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
57
58			// if argument is an array or an object,
59			// recursivly filters its content
60			} else if (is_array($value) \|\| is_object($value)) {
61
62			/**
63			* Make sure the element is passed by reference,
64			* In PHP 7, foreach does not use the internal array pointer.
65			* In order to be able to directly modify array elements within the loop
66			* precede $value with &. In that case the value will be assigned by reference.
67			* @see http://php.net/manual/en/control-structures.foreach.php
68			*/
69			foreach ($value as &$valueInValue) {
70			self::XSSFilter($valueInValue);
71			}
72			}
73
74			// other types are untouched
75			return $value;
76			}
77			}
78

panique / huge

GitHub Access Token became invalid

Pull Request — develop (#858)

Filter::XSSFilter() B

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like