Issues in InputElement.php (master) - Issues in master - splitbrain/dokuwiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (847)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

inc/Form/InputElement.php (3 issues)

Labels

Bug 3

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace dokuwiki\Form;

/**
 * Class InputElement
 *
 * Base class for all input elements. Uses a wrapping label when label
 * text is given.
 *
 * @todo figure out how to make wrapping or related label configurable
 * @package dokuwiki\Form
 */
class InputElement extends Element
{
    /**
     * @var LabelElement
     */
    protected $label = null;

    /**
     * @var bool if the element should reflect posted values
     */
    protected $useInput = true;

    /**
     * @param string $type The type of this element
     * @param string $name The name of this form element
     * @param string $label The label text for this element (will be autoescaped)
     */
    public function __construct($type, $name, $label = '')
    {
        parent::__construct($type, array('name' => $name));
        $this->attr('name', $name);
        $this->attr('type', $type);
        if ($label) $this->label = new LabelElement($label);
    }

    /**
     * Returns the label element if there's one set
     *
     * @return LabelElement|null
     */
    public function getLabel()
    {
        return $this->label;
    }

    /**
     * Should the user sent input be used to initialize the input field
     *
     * The default is true. Any set values will be overwritten by the INPUT
     * provided values.
     *
     * @param bool $useinput
     * @return $this
     */
    public function useInput($useinput)
    {
        $this->useInput = (bool) $useinput;
        return $this;
    }

    /**
     * Get or set the element's ID
     *
     * @param null|string $id
     * @return string|$this
     */
    public function id($id = null)
    {
        if ($this->label) $this->label->attr('for', $id);
        return parent::id($id);
    }

    /**
     * Adds a class to the class attribute
     *
     * This is the preferred method of setting the element's class
     *
     * @param string $class the new class to add
     * @return $this
     */
    public function addClass($class)
    {
        if ($this->label) $this->label->addClass($class);
        return parent::addClass($class);
    }

    /**
     * Figures out how to access the value for this field from INPUT data
     *
     * The element's name could have been given as a simple string ('foo')
     * or in array notation ('foo[bar]').
     *
     * Note: this function only handles one level of arrays. If your data
     * is nested deeper, you should call useInput(false) and set the
     * correct value yourself
     *
     * @return array name and array key (null if not an array)
     */
    protected function getInputName()
    {
        $name = $this->attr('name');
        parse_str("$name=1", $parsed);

        $name = array_keys($parsed);
        $name = array_shift($name);

        if (isset($parsed[$name]) && is_array($parsed[$name])) {
            $key = array_keys($parsed[$name]);
            $key = array_shift($key);
        } else {
            $key = null;
        }

        return array($name, $key);
    }

    /**
     * Handles the useInput flag and set the value attribute accordingly
     */
    protected function prefillInput()
    {
        global $INPUT;

        list($name, $key) = $this->getInputName();
        if (!$INPUT->has($name)) return;

        if ($key === null) {
            $value = $INPUT->str($name);
        } else {
            $value = $INPUT->arr($name);
            if (isset($value[$key])) {
                $value = $value[$key];
            } else {
                $value = '';
            }
        }
        $this->val($value);
    }

    /**
     * The HTML representation of this element
     *
     * @return string
     */
    protected function mainElementHTML()
    {
        if ($this->useInput) $this->prefillInput();
        return '<input '. buildAttributes($this->attrs()) .' />';

    }

    /**
     * The HTML representation of this element wrapped in a label
     *
     * @return string
     */
    public function toHTML()
    {
        if ($this->label) {
            return '<label '. buildAttributes($this->label->attrs()) .'>'.DOKU_LF

                .'<span>'. hsc($this->label->val()) .'</span>'.DOKU_LF

                . $this->mainElementHTML() .DOKU_LF
                .'</label>';
        } else {
            return $this->mainElementHTML();
        }
    }
}


1			<?php
2
3			namespace dokuwiki\Form;
4
5			/**
6			* Class InputElement
7			*
8			* Base class for all input elements. Uses a wrapping label when label
9			* text is given.
10			*
11			* @todo figure out how to make wrapping or related label configurable
12			* @package dokuwiki\Form
13			*/
14			class InputElement extends Element
15			{
16			/**
17			* @var LabelElement
18			*/
19			protected $label = null;
20
21			/**
22			* @var bool if the element should reflect posted values
23			*/
24			protected $useInput = true;
25
26			/**
27			* @param string $type The type of this element
28			* @param string $name The name of this form element
29			* @param string $label The label text for this element (will be autoescaped)
30			*/
31			public function __construct($type, $name, $label = '')
32			{
33			parent::__construct($type, array('name' => $name));
34			$this->attr('name', $name);
35			$this->attr('type', $type);
36			if ($label) $this->label = new LabelElement($label);
37			}
38
39			/**
40			* Returns the label element if there's one set
41			*
42			* @return LabelElement\|null
43			*/
44			public function getLabel()
45			{
46			return $this->label;
47			}
48
49			/**
50			* Should the user sent input be used to initialize the input field
51			*
52			* The default is true. Any set values will be overwritten by the INPUT
53			* provided values.
54			*
55			* @param bool $useinput
56			* @return $this
57			*/
58			public function useInput($useinput)
59			{
60			$this->useInput = (bool) $useinput;
61			return $this;
62			}
63
64			/**
65			* Get or set the element's ID
66			*
67			* @param null\|string $id
68			* @return string\|$this
69			*/
70			public function id($id = null)
71			{
72			if ($this->label) $this->label->attr('for', $id);
73			return parent::id($id);
74			}
75
76			/**
77			* Adds a class to the class attribute
78			*
79			* This is the preferred method of setting the element's class
80			*
81			* @param string $class the new class to add
82			* @return $this
83			*/
84			public function addClass($class)
85			{
86			if ($this->label) $this->label->addClass($class);
87			return parent::addClass($class);
88			}
89
90			/**
91			* Figures out how to access the value for this field from INPUT data
92			*
93			* The element's name could have been given as a simple string ('foo')
94			* or in array notation ('foo[bar]').
95			*
96			* Note: this function only handles one level of arrays. If your data
97			* is nested deeper, you should call useInput(false) and set the
98			* correct value yourself
99			*
100			* @return array name and array key (null if not an array)
101			*/
102			protected function getInputName()
103			{
104			$name = $this->attr('name');
105			parse_str("$name=1", $parsed);
106
107			$name = array_keys($parsed);
108			$name = array_shift($name);
109
110			if (isset($parsed[$name]) && is_array($parsed[$name])) {
111			$key = array_keys($parsed[$name]);
112			$key = array_shift($key);
113			} else {
114			$key = null;
115			}
116
117			return array($name, $key);
118			}
119
120			/**
121			* Handles the useInput flag and set the value attribute accordingly
122			*/
123			protected function prefillInput()
124			{
125			global $INPUT;
126
127			list($name, $key) = $this->getInputName();
128			if (!$INPUT->has($name)) return;
129
130			if ($key === null) {
131			$value = $INPUT->str($name);
132			} else {
133			$value = $INPUT->arr($name);
134			if (isset($value[$key])) {
135			$value = $value[$key];
136			} else {
137			$value = '';
138			}
139			}
140			$this->val($value);
141			}
142
143			/**
144			* The HTML representation of this element
145			*
146			* @return string
147			*/
148			protected function mainElementHTML()
149			{
150			if ($this->useInput) $this->prefillInput();
151			return '<input '. buildAttributes($this->attrs()) .' />';
			0 ignored issues – show Bug introduced 2015-11-25 07:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->attrs()` targeting `dokuwiki\Form\Element::attrs()` can also be of type `this<dokuwiki\Form\InputElement>`; however, `buildAttributes()` does only seem to accept `array`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
152			}
153
154			/**
155			* The HTML representation of this element wrapped in a label
156			*
157			* @return string
158			*/
159			public function toHTML()
160			{
161			if ($this->label) {
162			return '<label '. buildAttributes($this->label->attrs()) .'>'.DOKU_LF
			0 ignored issues – show Bug introduced 2020-07-07 11:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->label->attrs()` targeting `dokuwiki\Form\Element::attrs()` can also be of type `object<dokuwiki\Form\LabelElement>`; however, `buildAttributes()` does only seem to accept `array`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
163			.'<span>'. hsc($this->label->val()) .'</span>'.DOKU_LF
			0 ignored issues – show Bug introduced 2015-11-25 07:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->label->val()` targeting `dokuwiki\Form\ValueElement::val()` can also be of type `object<dokuwiki\Form\LabelElement>`; however, `hsc()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
164			. $this->mainElementHTML() .DOKU_LF
165			.'</label>';
166			} else {
167			return $this->mainElementHTML();
168			}
169			}
170			}
171

splitbrain / dokuwiki

Issues (847)

Security Analysis not enabled

inc/Form/InputElement.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like