Sanitize::sanitizeMessage() - Code Metrics - Inspection of "Rename Sanitize::sanitize to Sanitize::sanitizeMes..." - phpmyadmin/phpmyadmin - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 0bb995...0feae3 )

by Maurício

created 2019-06-12 18:24 UTC

Sanitize::sanitizeMessage() A

↳ Parent: Sanitize

Complexity

Conditions	3
Paths	4

Size

Total Lines	52
Code Lines	31

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	3
eloc	31
nc	4
nop	3
dl	0
loc	52
rs	9.424
c	0
b	0
f	0

How to fix Long Method

<?php
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
 * This class includes various sanitization methods that can be called statically
 *
 * @package PhpMyAdmin
 */
declare(strict_types=1);

namespace PhpMyAdmin;

use PhpMyAdmin\Core;
use PhpMyAdmin\Util;

/**
 * This class includes various sanitization methods that can be called statically
 *
 * @package PhpMyAdmin
 */
class Sanitize
{
    /**
     * Checks whether given link is valid
     *
     * @param string  $url   URL to check
     * @param boolean $http  Whether to allow http links
     * @param boolean $other Whether to allow ftp and mailto links
     *
     * @return boolean True if string can be used as link
     */
    public static function checkLink($url, $http = false, $other = false)
    {
        $url = strtolower($url);
        $valid_starts = [
            'https://',
            './url.php?url=https%3a%2f%2f',
            './doc/html/',
            // possible return values from Util::getScriptNameForOption
            './index.php?',
            './server_databases.php?',
            './server_status.php?',
            './server_variables.php?',
            './server_privileges.php?',
            './db_structure.php?',
            './db_sql.php?',
            './db_search.php?',
            './db_operations.php?',
            './tbl_structure.php?',
            './tbl_sql.php?',
            './tbl_select.php?',
            './tbl_change.php?',
            './sql.php?',
            // Hardcoded options in \PhpMyAdmin\Config\SpecialSchemaLinks
            './db_events.php?',
            './db_routines.php?',
            './server_privileges.php?',
            './tbl_structure.php?',
        ];
        $is_setup = $GLOBALS['PMA_Config'] !== null && $GLOBALS['PMA_Config']->get('is_setup');
        // Adjust path to setup script location
        if ($is_setup) {
            foreach ($valid_starts as $key => $value) {
                if (substr($value, 0, 2) === './') {
                    $valid_starts[$key] = '.' . $value;
                }
            }
        }
        if ($other) {
            $valid_starts[] = 'mailto:';
            $valid_starts[] = 'ftp://';
        }
        if ($http) {
            $valid_starts[] = 'http://';
        }
        if ($is_setup) {
            $valid_starts[] = '?page=form&';
            $valid_starts[] = '?page=servers&';
        }
        foreach ($valid_starts as $val) {
            if (substr($url, 0, strlen($val)) == $val) {
                return true;
            }
        }
        return false;
    }

    /**
     * Callback function for replacing [a@link@target] links in bb code.
     *
     * @param array $found Array of preg matches
     *
     * @return string Replaced string
     */
    public static function replaceBBLink(array $found)
    {
        /* Check for valid link */
        if (! self::checkLink($found[1])) {
            return $found[0];
        }
        /* a-z and _ allowed in target */
        if (! empty($found[3]) && preg_match('/[^a-z_]+/i', $found[3])) {
            return $found[0];
        }

        /* Construct target */
        $target = '';
        if (! empty($found[3])) {
            $target = ' target="' . $found[3] . '"';
            if ($found[3] == '_blank') {
                $target .= ' rel="noopener noreferrer"';
            }
        }

        /* Construct url */
        if (substr($found[1], 0, 4) == 'http') {
            $url = Core::linkURL($found[1]);
        } else {
            $url = $found[1];
        }

        return '<a href="' . $url . '"' . $target . '>';
    }

    /**
     * Callback function for replacing [doc@anchor] links in bb code.
     *
     * @param array $found Array of preg matches
     *
     * @return string Replaced string
     */
    public static function replaceDocLink(array $found)
    {
        if (count($found) >= 4) {
            $page = $found[1];
            $anchor = $found[3];
        } else {
            $anchor = $found[1];
            if (strncmp('faq', $anchor, 3) == 0) {
                $page = 'faq';
            } elseif (strncmp('cfg', $anchor, 3) == 0) {
                $page = 'config';
            } else {
                /* Guess */
                $page = 'setup';
            }
        }
        $link = Util::getDocuLink($page, $anchor);
        return '<a href="' . $link . '" target="documentation">';
    }

    /**
     * Sanitizes $message, taking into account our special codes
     * for formatting.
     *
     * If you want to include result in element attribute, you should escape it.
     *
     * Examples:
     *
     * <p><?php echo Sanitize::sanitizeMessage($foo); ?></p>
     *
     * <a title="<?php echo Sanitize::sanitizeMessage($foo, true); ?>">bar</a>
     *
     * @param string  $message the message
     * @param boolean $escape  whether to escape html in result
     * @param boolean $safe    whether string is safe (can keep < and > chars)
     *
     * @return string   the sanitized message
     */
    public static function sanitizeMessage($message, $escape = false, $safe = false)
    {
        if (! $safe) {
            $message = strtr((string) $message, ['<' => '&lt;', '>' => '&gt;']);
        }

        /* Interpret bb code */
        $replace_pairs = [
            '[em]'      => '<em>',
            '[/em]'     => '</em>',
            '[strong]'  => '<strong>',
            '[/strong]' => '</strong>',
            '[code]'    => '<code>',
            '[/code]'   => '</code>',
            '[kbd]'     => '<kbd>',
            '[/kbd]'    => '</kbd>',
            '[br]'      => '<br>',
            '[/a]'      => '</a>',
            '[/doc]'      => '</a>',
            '[sup]'     => '<sup>',
            '[/sup]'    => '</sup>',
            // used in common.inc.php:
            '[conferr]' => '<iframe src="show_config_errors.php"><a href="show_config_errors.php">show_config_errors.php</a></iframe>',
            // used in libraries/Util.php
            '[dochelpicon]' => Util::getImage('b_help', __('Documentation')),
        ];

        $message = strtr($message, $replace_pairs);

        /* Match links in bb code ([a@url@target], where @target is options) */
        $pattern = '/\[a@([^]"@]*)(@([^]"]*))?\]/';

        /* Find and replace all links */
        $message = preg_replace_callback($pattern, function ($match) {
            return self::replaceBBLink($match);
        }, $message);

        /* Replace documentation links */
        $message = preg_replace_callback(
            '/\[doc@([a-zA-Z0-9_-]+)(@([a-zA-Z0-9_-]*))?\]/',
            function ($match) {
                return self::replaceDocLink($match);
            },
            $message
        );

        /* Possibly escape result */
        if ($escape) {
            $message = htmlspecialchars($message);
        }

        return $message;
    }


    /**
     * Sanitize a filename by removing anything besides legit characters
     *
     * Intended usecase:
     *    When using a filename in a Content-Disposition header
     *    the value should not contain ; or "
     *
     *    When exporting, avoiding generation of an unexpected double-extension file
     *
     * @param string  $filename    The filename
     * @param boolean $replaceDots Whether to also replace dots
     *
     * @return string  the sanitized filename
     *
     */
    public static function sanitizeFilename($filename, $replaceDots = false)
    {
        $pattern = '/[^A-Za-z0-9_';
        // if we don't have to replace dots
        if (! $replaceDots) {
            // then add the dot to the list of legit characters
            $pattern .= '.';
        }
        $pattern .= '-]/';
        $filename = preg_replace($pattern, '_', $filename);
        return $filename;
    }

    /**
     * Format a string so it can be a string inside JavaScript code inside an
     * eventhandler (onclick, onchange, on..., ).
     * This function is used to displays a javascript confirmation box for
     * "DROP/DELETE/ALTER" queries.
     *
     * @param string  $a_string       the string to format
     * @param boolean $add_backquotes whether to add backquotes to the string or not
     *
     * @return string   the formatted string
     *
     * @access  public
     */
    public static function jsFormat($a_string = '', $add_backquotes = true)
    {
        $a_string = htmlspecialchars((string) $a_string);
        $a_string = self::escapeJsString($a_string);
        // Needed for inline javascript to prevent some browsers
        // treating it as a anchor
        $a_string = str_replace('#', '\\#', $a_string);

        return $add_backquotes
            ? Util::backquote($a_string)
            : $a_string;
    } // end of the 'jsFormat' function

    /**
     * escapes a string to be inserted as string a JavaScript block
     * enclosed by <![CDATA[ ... ]]>
     * this requires only to escape ' with \' and end of script block
     *
     * We also remove NUL byte as some browsers (namely MSIE) ignore it and
     * inserting it anywhere inside </script would allow to bypass this check.
     *
     * @param string $string the string to be escaped
     *
     * @return string  the escaped string
     */
    public static function escapeJsString($string)
    {
        return preg_replace(
            '@</script@i',
            '</\' + \'script',
            strtr(
                (string) $string,
                [
                    "\000" => '',
                    '\\' => '\\\\',
                    '\'' => '\\\'',
                    '"' => '\"',
                    "\n" => '\n',
                    "\r" => '\r'
                ]
            )
        );
    }

    /**
     * Formats a value for javascript code.
     *
     * @param string $value String to be formatted.
     *
     * @return string formatted value.
     */
    public static function formatJsVal($value)
    {
        if (is_bool($value)) {

            if ($value) {
                return 'true';
            }

            return 'false';
        }

        if (is_int($value)) {

            return (int) $value;
        }

        return '"' . self::escapeJsString($value) . '"';
    }

    /**
     * Formats an javascript assignment with proper escaping of a value
     * and support for assigning array of strings.
     *
     * @param string $key    Name of value to set
     * @param mixed  $value  Value to set, can be either string or array of strings
     * @param bool   $escape Whether to escape value or keep it as it is
     *                       (for inclusion of js code)
     *
     * @return string Javascript code.
     */
    public static function getJsValue($key, $value, $escape = true)
    {
        $result = $key . ' = ';
        if (! $escape) {
            $result .= $value;
        } elseif (is_array($value)) {
            $result .= '[';
            foreach ($value as $val) {
                $result .= self::formatJsVal($val) . ",";
            }
            $result .= "];\n";
        } else {
            $result .= self::formatJsVal($value) . ";\n";
        }
        return $result;
    }

    /**
     * Prints an javascript assignment with proper escaping of a value
     * and support for assigning array of strings.
     *
     * @param string $key   Name of value to set
     * @param mixed  $value Value to set, can be either string or array of strings
     *
     * @return void
     */
    public static function printJsValue($key, $value)
    {
        echo self::getJsValue($key, $value);
    }

    /**
     * Formats javascript assignment for form validation api
     * with proper escaping of a value.
     *
     * @param string  $key   Name of value to set
     * @param string  $value Value to set
     * @param boolean $addOn Check if $.validator.format is required or not
     * @param boolean $comma Check if comma is required
     *
     * @return string Javascript code.
     */
    public static function getJsValueForFormValidation($key, $value, $addOn, $comma)
    {
        $result = $key . ': ';
        if ($addOn) {
            $result .= '$.validator.format(';
        }
        $result .= self::formatJsVal($value);
        if ($addOn) {
            $result .= ')';
        }
        if ($comma) {
            $result .= ', ';
        }
        return $result;
    }

    /**
     * Prints javascript assignment for form validation api
     * with proper escaping of a value.
     *
     * @param string  $key   Name of value to set
     * @param string  $value Value to set
     * @param boolean $addOn Check if $.validator.format is required or not
     * @param boolean $comma Check if comma is required
     *
     * @return void
     */
    public static function printJsValueForFormValidation($key, $value, $addOn = false, $comma = true)
    {
        echo self::getJsValueForFormValidation($key, $value, $addOn, $comma);
    }

    /**
     * Removes all variables from request except whitelisted ones.
     *
     * @param string[] $whitelist list of variables to allow
     *
     * @return void
     * @access public
     */
    public static function removeRequestVars(&$whitelist): void
    {
        // do not check only $_REQUEST because it could have been overwritten
        // and use type casting because the variables could have become
        // strings
        if (! isset($_REQUEST)) {
            $_REQUEST = [];
        }
        if (! isset($_GET)) {
            $_GET = [];
        }
        if (! isset($_POST)) {
            $_POST = [];
        }
        if (! isset($_COOKIE)) {
            $_COOKIE = [];
        }
        $keys = array_keys(
            array_merge((array) $_REQUEST, (array) $_GET, (array) $_POST, (array) $_COOKIE)
        );

        foreach ($keys as $key) {
            if (! in_array($key, $whitelist)) {
                unset($_REQUEST[$key], $_GET[$key], $_POST[$key]);
                continue;
            }

            // allowed stuff could be compromised so escape it
            // we require it to be a string
            if (isset($_REQUEST[$key]) && ! is_string($_REQUEST[$key])) {
                unset($_REQUEST[$key]);
            }
            if (isset($_POST[$key]) && ! is_string($_POST[$key])) {
                unset($_POST[$key]);
            }
            if (isset($_COOKIE[$key]) && ! is_string($_COOKIE[$key])) {
                unset($_COOKIE[$key]);
            }
            if (isset($_GET[$key]) && ! is_string($_GET[$key])) {
                unset($_GET[$key]);
            }
        }
    }
}


1			<?php
2			/* vim: set expandtab sw=4 ts=4 sts=4: */
3			/**
4			* This class includes various sanitization methods that can be called statically
5			*
6			* @package PhpMyAdmin
7			*/
8			declare(strict_types=1);
9
10			namespace PhpMyAdmin;
11
12			use PhpMyAdmin\Core;
13			use PhpMyAdmin\Util;
14
15			/**
16			* This class includes various sanitization methods that can be called statically
17			*
18			* @package PhpMyAdmin
19			*/
20			class Sanitize
21			{
22			/**
23			* Checks whether given link is valid
24			*
25			* @param string $url URL to check
26			* @param boolean $http Whether to allow http links
27			* @param boolean $other Whether to allow ftp and mailto links
28			*
29			* @return boolean True if string can be used as link
30			*/
31			public static function checkLink($url, $http = false, $other = false)
32			{
33			$url = strtolower($url);
34			$valid_starts = [
35			'https://',
36			'./url.php?url=https%3a%2f%2f',
37			'./doc/html/',
38			// possible return values from Util::getScriptNameForOption
39			'./index.php?',
40			'./server_databases.php?',
41			'./server_status.php?',
42			'./server_variables.php?',
43			'./server_privileges.php?',
44			'./db_structure.php?',
45			'./db_sql.php?',
46			'./db_search.php?',
47			'./db_operations.php?',
48			'./tbl_structure.php?',
49			'./tbl_sql.php?',
50			'./tbl_select.php?',
51			'./tbl_change.php?',
52			'./sql.php?',
53			// Hardcoded options in \PhpMyAdmin\Config\SpecialSchemaLinks
54			'./db_events.php?',
55			'./db_routines.php?',
56			'./server_privileges.php?',
57			'./tbl_structure.php?',
58			];
59			$is_setup = $GLOBALS['PMA_Config'] !== null && $GLOBALS['PMA_Config']->get('is_setup');
60			// Adjust path to setup script location
61			if ($is_setup) {
62			foreach ($valid_starts as $key => $value) {
63			if (substr($value, 0, 2) === './') {
64			$valid_starts[$key] = '.' . $value;
65			}
66			}
67			}
68			if ($other) {
69			$valid_starts[] = 'mailto:';
70			$valid_starts[] = 'ftp://';
71			}
72			if ($http) {
73			$valid_starts[] = 'http://';
74			}
75			if ($is_setup) {
76			$valid_starts[] = '?page=form&';
77			$valid_starts[] = '?page=servers&';
78			}
79			foreach ($valid_starts as $val) {
80			if (substr($url, 0, strlen($val)) == $val) {
81			return true;
82			}
83			}
84			return false;
85			}
86
87			/**
88			* Callback function for replacing [a@link@target] links in bb code.
89			*
90			* @param array $found Array of preg matches
91			*
92			* @return string Replaced string
93			*/
94			public static function replaceBBLink(array $found)
95			{
96			/* Check for valid link */
97			if (! self::checkLink($found[1])) {
98			return $found[0];
99			}
100			/* a-z and _ allowed in target */
101			if (! empty($found[3]) && preg_match('/[^a-z_]+/i', $found[3])) {
102			return $found[0];
103			}
104
105			/* Construct target */
106			$target = '';
107			if (! empty($found[3])) {
108			$target = ' target="' . $found[3] . '"';
109			if ($found[3] == '_blank') {
110			$target .= ' rel="noopener noreferrer"';
111			}
112			}
113
114			/* Construct url */
115			if (substr($found[1], 0, 4) == 'http') {
116			$url = Core::linkURL($found[1]);
117			} else {
118			$url = $found[1];
119			}
120
121			return '<a href="' . $url . '"' . $target . '>';
122			}
123
124			/**
125			* Callback function for replacing [doc@anchor] links in bb code.
126			*
127			* @param array $found Array of preg matches
128			*
129			* @return string Replaced string
130			*/
131			public static function replaceDocLink(array $found)
132			{
133			if (count($found) >= 4) {
134			$page = $found[1];
135			$anchor = $found[3];
136			} else {
137			$anchor = $found[1];
138			if (strncmp('faq', $anchor, 3) == 0) {
139			$page = 'faq';
140			} elseif (strncmp('cfg', $anchor, 3) == 0) {
141			$page = 'config';
142			} else {
143			/* Guess */
144			$page = 'setup';
145			}
146			}
147			$link = Util::getDocuLink($page, $anchor);
148			return '<a href="' . $link . '" target="documentation">';
149			}
150
151			/**
152			* Sanitizes $message, taking into account our special codes
153			* for formatting.
154			*
155			* If you want to include result in element attribute, you should escape it.
156			*
157			* Examples:
158			*
159			* <p><?php echo Sanitize::sanitizeMessage($foo); ?></p>
160			*
161			* <a title="<?php echo Sanitize::sanitizeMessage($foo, true); ?>">bar</a>
162			*
163			* @param string $message the message
164			* @param boolean $escape whether to escape html in result
165			* @param boolean $safe whether string is safe (can keep < and > chars)
166			*
167			* @return string the sanitized message
168			*/
169			public static function sanitizeMessage($message, $escape = false, $safe = false)
170			{
171			if (! $safe) {
172			$message = strtr((string) $message, ['<' => '<', '>' => '>']);
173			}
174
175			/* Interpret bb code */
176			$replace_pairs = [
177			'[em]' => '<em>',
178			'[/em]' => '</em>',
179			'[strong]' => '<strong>',
180			'[/strong]' => '</strong>',
181			'[code]' => '<code>',
182			'[/code]' => '</code>',
183			'[kbd]' => '<kbd>',
184			'[/kbd]' => '</kbd>',
185			'[br]' => '<br>',
186			'[/a]' => '</a>',
187			'[/doc]' => '</a>',
188			'[sup]' => '<sup>',
189			'[/sup]' => '</sup>',
190			// used in common.inc.php:
191			'[conferr]' => '<iframe src="show_config_errors.php"><a href="show_config_errors.php">show_config_errors.php</a></iframe>',
192			// used in libraries/Util.php
193			'[dochelpicon]' => Util::getImage('b_help', __('Documentation')),
194			];
195
196			$message = strtr($message, $replace_pairs);
197
198			/* Match links in bb code ([a@url@target], where @target is options) */
199			$pattern = '/\[a@([^]"@])(@([^]"]))?\]/';
200
201			/* Find and replace all links */
202			$message = preg_replace_callback($pattern, function ($match) {
203			return self::replaceBBLink($match);
204			}, $message);
205
206			/* Replace documentation links */
207			$message = preg_replace_callback(
208			'/\[doc@([a-zA-Z0-9_-]+)(@([a-zA-Z0-9_-]*))?\]/',
209			function ($match) {
210			return self::replaceDocLink($match);
211			},
212			$message
213			);
214
215			/* Possibly escape result */
216			if ($escape) {
217			$message = htmlspecialchars($message);
218			}
219
220			return $message;
221			}
222
223
224			/**
225			* Sanitize a filename by removing anything besides legit characters
226			*
227			* Intended usecase:
228			* When using a filename in a Content-Disposition header
229			* the value should not contain ; or "
230			*
231			* When exporting, avoiding generation of an unexpected double-extension file
232			*
233			* @param string $filename The filename
234			* @param boolean $replaceDots Whether to also replace dots
235			*
236			* @return string the sanitized filename
237			*
238			*/
239			public static function sanitizeFilename($filename, $replaceDots = false)
240			{
241			$pattern = '/[^A-Za-z0-9_';
242			// if we don't have to replace dots
243			if (! $replaceDots) {
244			// then add the dot to the list of legit characters
245			$pattern .= '.';
246			}
247			$pattern .= '-]/';
248			$filename = preg_replace($pattern, '_', $filename);
249			return $filename;
250			}
251
252			/**
253			* Format a string so it can be a string inside JavaScript code inside an
254			* eventhandler (onclick, onchange, on..., ).
255			* This function is used to displays a javascript confirmation box for
256			* "DROP/DELETE/ALTER" queries.
257			*
258			* @param string $a_string the string to format
259			* @param boolean $add_backquotes whether to add backquotes to the string or not
260			*
261			* @return string the formatted string
262			*
263			* @access public
264			*/
265			public static function jsFormat($a_string = '', $add_backquotes = true)
266			{
267			$a_string = htmlspecialchars((string) $a_string);
268			$a_string = self::escapeJsString($a_string);
269			// Needed for inline javascript to prevent some browsers
270			// treating it as a anchor
271			$a_string = str_replace('#', '\\#', $a_string);
272
273			return $add_backquotes
274			? Util::backquote($a_string)
275			: $a_string;
276			} // end of the 'jsFormat' function
277
278			/**
279			* escapes a string to be inserted as string a JavaScript block
280			* enclosed by <![CDATA[ ... ]]>
281			* this requires only to escape ' with \' and end of script block
282			*
283			* We also remove NUL byte as some browsers (namely MSIE) ignore it and
284			* inserting it anywhere inside </script would allow to bypass this check.
285			*
286			* @param string $string the string to be escaped
287			*
288			* @return string the escaped string
289			*/
290			public static function escapeJsString($string)
291			{
292			return preg_replace(
293			'@</script@i',
294			'</\' + \'script',
295			strtr(
296			(string) $string,
297			[
298			"\000" => '',
299			'\\' => '\\\\',
300			'\'' => '\\\'',
301			'"' => '\"',
302			"\n" => '\n',
303			"\r" => '\r'
304			]
305			)
306			);
307			}
308
309			/**
310			* Formats a value for javascript code.
311			*
312			* @param string $value String to be formatted.
313			*
314			* @return string formatted value.
315			*/
316			public static function formatJsVal($value)
317			{
318			if (is_bool($value)) {
			0 ignored issues – show introduced 2018-10-19 11:45 UTC by Report Bug Copy Issue Report The condition `is_bool($value)` is always `false`. Loading history...
319			if ($value) {
320			return 'true';
321			}
322
323			return 'false';
324			}
325
326			if (is_int($value)) {
			0 ignored issues – show introduced 2018-10-19 11:45 UTC by Report Bug Copy Issue Report The condition `is_int($value)` is always `false`. Loading history...
327			return (int) $value;
328			}
329
330			return '"' . self::escapeJsString($value) . '"';
331			}
332
333			/**
334			* Formats an javascript assignment with proper escaping of a value
335			* and support for assigning array of strings.
336			*
337			* @param string $key Name of value to set
338			* @param mixed $value Value to set, can be either string or array of strings
339			* @param bool $escape Whether to escape value or keep it as it is
340			* (for inclusion of js code)
341			*
342			* @return string Javascript code.
343			*/
344			public static function getJsValue($key, $value, $escape = true)
345			{
346			$result = $key . ' = ';
347			if (! $escape) {
348			$result .= $value;
349			} elseif (is_array($value)) {
350			$result .= '[';
351			foreach ($value as $val) {
352			$result .= self::formatJsVal($val) . ",";
353			}
354			$result .= "];\n";
355			} else {
356			$result .= self::formatJsVal($value) . ";\n";
357			}
358			return $result;
359			}
360
361			/**
362			* Prints an javascript assignment with proper escaping of a value
363			* and support for assigning array of strings.
364			*
365			* @param string $key Name of value to set
366			* @param mixed $value Value to set, can be either string or array of strings
367			*
368			* @return void
369			*/
370			public static function printJsValue($key, $value)
371			{
372			echo self::getJsValue($key, $value);
373			}
374
375			/**
376			* Formats javascript assignment for form validation api
377			* with proper escaping of a value.
378			*
379			* @param string $key Name of value to set
380			* @param string $value Value to set
381			* @param boolean $addOn Check if $.validator.format is required or not
382			* @param boolean $comma Check if comma is required
383			*
384			* @return string Javascript code.
385			*/
386			public static function getJsValueForFormValidation($key, $value, $addOn, $comma)
387			{
388			$result = $key . ': ';
389			if ($addOn) {
390			$result .= '$.validator.format(';
391			}
392			$result .= self::formatJsVal($value);
393			if ($addOn) {
394			$result .= ')';
395			}
396			if ($comma) {
397			$result .= ', ';
398			}
399			return $result;
400			}
401
402			/**
403			* Prints javascript assignment for form validation api
404			* with proper escaping of a value.
405			*
406			* @param string $key Name of value to set
407			* @param string $value Value to set
408			* @param boolean $addOn Check if $.validator.format is required or not
409			* @param boolean $comma Check if comma is required
410			*
411			* @return void
412			*/
413			public static function printJsValueForFormValidation($key, $value, $addOn = false, $comma = true)
414			{
415			echo self::getJsValueForFormValidation($key, $value, $addOn, $comma);
416			}
417
418			/**
419			* Removes all variables from request except whitelisted ones.
420			*
421			* @param string[] $whitelist list of variables to allow
422			*
423			* @return void
424			* @access public
425			*/
426			public static function removeRequestVars(&$whitelist): void
427			{
428			// do not check only $_REQUEST because it could have been overwritten
429			// and use type casting because the variables could have become
430			// strings
431			if (! isset($_REQUEST)) {
432			$_REQUEST = [];
433			}
434			if (! isset($_GET)) {
435			$_GET = [];
436			}
437			if (! isset($_POST)) {
438			$_POST = [];
439			}
440			if (! isset($_COOKIE)) {
441			$_COOKIE = [];
442			}
443			$keys = array_keys(
444			array_merge((array) $_REQUEST, (array) $_GET, (array) $_POST, (array) $_COOKIE)
445			);
446
447			foreach ($keys as $key) {
448			if (! in_array($key, $whitelist)) {
449			unset($_REQUEST[$key], $_GET[$key], $_POST[$key]);
450			continue;
451			}
452
453			// allowed stuff could be compromised so escape it
454			// we require it to be a string
455			if (isset($_REQUEST[$key]) && ! is_string($_REQUEST[$key])) {
456			unset($_REQUEST[$key]);
457			}
458			if (isset($_POST[$key]) && ! is_string($_POST[$key])) {
459			unset($_POST[$key]);
460			}
461			if (isset($_COOKIE[$key]) && ! is_string($_COOKIE[$key])) {
462			unset($_COOKIE[$key]);
463			}
464			if (isset($_GET[$key]) && ! is_string($_GET[$key])) {
465			unset($_GET[$key]);
466			}
467			}
468			}
469			}
470

phpmyadmin / phpmyadmin

Push — master ( 0bb995...0feae3 )

Sanitize::sanitizeMessage() A

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like