Issues in BasicHtmlEditorConfig.php (master) - Issues in master - sunnysideup/silverstripe-htmleditoroptions - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

code/BasicHtmlEditorConfig.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php


/**
 * A PHP version of TinyMCE's configuration, to allow various parameters to be configured on a site or section basis
 *
 * There can be multiple HtmlEditorConfig's, which should always be created / accessed using HtmlEditorConfig::get. You can then set
 * the currently active config using set_active. Whichever config is active when HtmlEditorField#Field is called wins.
 *
 * @author "Hamish Friedlander" <[email protected]>
 * @package forms
 * @subpackage fields-formattedinput
 */
class BasicEditorConfig
namespace YourVendor;

class YourClass { }
{
    public static $configs = array();
    public static $current = null;

    /**
     * Get the HtmlEditorConfig object for the given identifier. This is a correct way to get an HtmlEditorConfig instance - do not call 'new'
     * @param $identifier string - the identifier for the config set
     * @return HtmlEditorConfig - the configuration object. This will be created if it does not yet exist for that identifier
     */
    public static function get($identifier = 'default')
    {
        if (!array_key_exists($identifier, self::$configs)) {
            self::$configs[$identifier] = new HtmlEditorConfig();
        }
        return self::$configs[$identifier];
    }

    /**
     * Set the currently active configuration object
     * @param $identifier string - the identifier for the config set
     * @return null
     */
    public static function set_active($identifier = null)
    {
        self::$current = $identifier;
    }

    /**
     * Get the currently active configuration object
     * @return HtmlEditorConfig - the active configuration object
     */
    public static function get_active()
    {
        $identifier = self::$current ? self::$current : 'default';
        return self::get($identifier);
    }

    /**
     * Get the available configurations as a map of friendly_name to
     * configuration name.
     * @return array
     */
    public static function get_available_configs_map()
    {
        $configs = array();

        foreach (self::$configs as $identifier => $config) {
            $configs[$identifier] = $config->getOption('friendly_name');
        }

        return $configs;
    }

    /**
     * Holder for all TinyMCE settings _except_ plugins and buttons
     */
    protected $settings = array(
        'friendly_name' => '(Please set a friendly name for this config)',
        'priority' => 0,
        'mode' => "specific_textareas",
        'editor_selector' => "htmleditor",
        'width' => "100%",
        'auto_resize' => false,
        'theme' => "advanced",

        'theme_advanced_layout_manager' => "SimpleLayout",
        'theme_advanced_toolbar_location' => "top",
        'theme_advanced_toolbar_align' => "left",
        'theme_advanced_toolbar_parent' => "right",

        'blockquote_clear_tag' => "p",
        'table_inline_editing' => true,

        'safari_warning' => false,
        'relative_urls' => true,
        'verify_html' => true,

    );

    /**
     * Holder list of enabled plugins
     */
    protected $plugins = array(
        'contextmenu' => null,
        'table' => null,
        'emotions' => null,
        'paste' => null,
        'advcode' => '../../../sapphire/thirdparty/tinymce-advcode/editor_plugin_src.js',
        'spellchecker' => null
    );

    /**
     * Holder list of buttons, organised by line
     */
    protected $buttons = array(
        1 => array('bold','italic','underline','strikethrough','separator','justifyleft','justifycenter','justifyright','justifyfull','formatselect','separator','bullist','numlist','outdent','indent','blockquote','hr','charmap'),
        2 => array('undo','redo','separator','cut','copy','paste','pastetext','pasteword','spellchecker','separator','advcode','search','replace','selectall','visualaid','separator','tablecontrols'),
        3 => array()
    );

    /**
     * Get the current value of an option
     * @param $k string - The key of the option to get
     * @return mixed - The value of the specified option
     */
    public function getOption($k)
    {
        if (isset($this->settings[$k])) {
            return $this->settings[$k];
        }
    }

    /**
     * Set the value of one option
     * @param $k string - The key of the option to set
     * @param $v mixed - The value of the option to set
     * @return mixed - $v returned for chaining
     */
    public function setOption($k, $v)
    {
        return $this->settings[$k] = $v;
    }

    /**
     * Set multiple options
     * @param $a array - The options to set, as keys and values of the array
     * @return null
     */
    public function setOptions($a)
    {
        foreach ($a as $k=>$v) {
            $this->settings[$k] = $v;
        }
    }

    /**
     * Enable one or several plugins. Will maintain unique list if already
     * enabled plugin is re-passed. If passed in as a map of plugin-name to path,
     * the plugin will be loaded by tinymce.PluginManager.load() instead of through tinyMCE.init().
     * Keep in mind that these externals plugins require a dash-prefix in their name.
     *
     * @see http://wiki.moxiecode.com/index.php/TinyMCE:API/tinymce.PluginManager/load
     *
     * @param String [0..] a string, or several strings, or a single array of strings - The plugins to enable
     * @return null
     */
    public function enablePlugins()
    {
        $plugins = func_get_args();
        if (is_array(current($plugins))) {
            $plugins = current($plugins);
        }
        foreach ($plugins as $plugin => $path) {
            // if plugins are passed without a path
            if (is_numeric($plugin)) {
                $plugin = $path;
                $path = null;
            }
            if (!array_key_exists($plugin, $this->plugins)) {
                $this->plugins[$plugin] = $path;
            }
        }
    }

    /**
     * Enable one or several plugins. Will properly handle being passed a plugin that is already disabled
     * @param String [0..] a string, or several strings, or a single array of strings - The plugins to disable
     * @return null
     */
    public function disablePlugins()
    {
        $plugins = func_get_args();
        if (is_array(current($plugins))) {
            $plugins = current($plugins);
        }

        foreach ($plugins as $plugin) {
            if (array_key_exists($plugin, $this->plugins)) {
                unset($this->plugins[$plugin]);
            }
        }
    }

    /**
     * @return Array
     */
    public function getPlugins()
    {
        return $this->plugins;
    }

    /**
     * Totally re-set the buttons on a given line
     *
     * @param integer from 1..3 - The line number to redefine
     * @param string  a string or several strings, or a single array of strings - The button names to make this line contain
     * @return null
     */
    public function setButtonsForLine()
    {
        if (func_num_args() == 2) {
            list($line, $buttons) = func_get_args();
        } else {
            $buttons = func_get_args();
            $line = array_shift($buttons);
        }
        $this->buttons[$line] = is_array($buttons) ? $buttons : array($buttons);
    }

    /**
     * Add buttons to the end of a line
     * @param integer from 1..3
     * @param string a string, or several strings, or a single array of strings - The button names to add to the end of this line
     * @return null
     */
    public function addButtonsToLine()
    {
        $inserts = func_get_args();
        $line = array_shift($inserts);
        if (is_array($inserts[0])) {
            $inserts = $inserts[0];
        }

        foreach ($inserts as $button) {
            $this->buttons[$line][] = $button;
        }
    }

    /**
     * Internal function for adding and removing buttons related to another button
     * @param $name string - the name of the button to modify
     * @param $offset integer - the offset relative to that button to perform an array_splice at - 0 for before $name, 1 for after
     * @param $del integer - the number of buttons to remove at the position given by index(string) + offset
     * @param $add mixed - an array or single item to insert at the position given by index(string) + offset, or null for no insertion
     * @return boolean - true if $name matched a button, false otherwise
     */
    protected function modifyButtons($name, $offset, $del=0, $add=null)
    {
        foreach ($this->buttons as &$buttons) {
            if (($idx = array_search($name, $buttons)) !== false) {
                if ($add) {
                    array_splice($buttons, $idx+$offset, $del, $add);
                } else {
                    array_splice($buttons, $idx+$offset, $del, $add);
                }
                return true;
            }
        }
        return false;
    }

    /**
     * Insert buttons before the first occurance of another button
     * @param string - the name of the button to insert other buttons before
     * @param string a string, or several strings, or a single array of strings - the button names to insert before that button
     * @return boolean - true if insertion occured, false if it did not (because the given button name was not found)
     */
    public function insertButtonsBefore()
    {
        $inserts = func_get_args();
        $before = array_shift($inserts);
        return $this->modifyButtons($before, 0, 0, $inserts);
    }

    /**
     * Insert buttons after the first occurance of another button
     * @param string - the name of the button to insert other buttons after
     * @param string a string, or several strings, or a single array of strings - the button names to insert after that button
     * @return boolean - true if insertion occured, false if it did not (because the given button name was not found)
     */
    public function insertButtonsAfter()
    {
        $inserts = func_get_args();
        $after = array_shift($inserts);
        return $this->modifyButtons($after, 1, 0, $inserts);
    }

    /**
     * Remove the first occurance of buttons
     * @param string one or more strings - the name of the buttons to remove
     * @return null
     */
    public function removeButtons()
    {
        $removes = func_get_args();
        foreach ($removes as $button) {
            $this->modifyButtons($button, 0, 1);
        }
    }

    /**
     * Generate the javascript that will set tinyMCE's configuration to that of the current settings of this object
     * @return string - the javascript
     */
    public function generateJS()
    {
        $config = $this->settings;

        // plugins
        $internalPlugins = array();
        $externalPluginsJS = '';
        foreach ($this->plugins as $plugin => $path) {
            if (!$path) {
                $internalPlugins[] = $plugin;
            } else {
                $internalPlugins[] = '-' . $plugin;
                $externalPluginsJS .= sprintf(
                    'tinymce.PluginManager.load("%s", "%s");' . "\n",
                    $plugin,
                    $path
                );
            }
        }
        $config['plugins'] = implode(',', $internalPlugins);

        foreach ($this->buttons as $i=>$buttons) {
            $config['theme_advanced_buttons'.$i] = implode(',', $buttons);
        }

        return "
if((typeof tinyMCE != 'undefined')) {
	$externalPluginsJS
	tinyMCE.init(" . Convert::raw2json($config) . ");
}
";
    }
}


1			<?php
			0 ignored issues – show Coding Style introduced 2017-01-03 01:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this File has mixed line endings; this may cause incorrect results Loading history...
2
3			/**
4			* A PHP version of TinyMCE's configuration, to allow various parameters to be configured on a site or section basis
5			*
6			* There can be multiple HtmlEditorConfig's, which should always be created / accessed using HtmlEditorConfig::get. You can then set
7			* the currently active config using set_active. Whichever config is active when HtmlEditorField#Field is called wins.
8			*
9			* @author "Hamish Friedlander" <[email protected]>
10			* @package forms
11			* @subpackage fields-formattedinput
12			*/
13			class BasicEditorConfig
			0 ignored issues – show Coding Style Compatibility introduced 2017-01-03 01:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
14			{
15			public static $configs = array();
16			public static $current = null;
17
18			/**
19			* Get the HtmlEditorConfig object for the given identifier. This is a correct way to get an HtmlEditorConfig instance - do not call 'new'
20			* @param $identifier string - the identifier for the config set
21			* @return HtmlEditorConfig - the configuration object. This will be created if it does not yet exist for that identifier
22			*/
23			public static function get($identifier = 'default')
24			{
25			if (!array_key_exists($identifier, self::$configs)) {
26			self::$configs[$identifier] = new HtmlEditorConfig();
27			}
28			return self::$configs[$identifier];
29			}
30
31			/**
32			* Set the currently active configuration object
33			* @param $identifier string - the identifier for the config set
34			* @return null
35			*/
36			public static function set_active($identifier = null)
37			{
38			self::$current = $identifier;
39			}
40
41			/**
42			* Get the currently active configuration object
43			* @return HtmlEditorConfig - the active configuration object
44			*/
45			public static function get_active()
46			{
47			$identifier = self::$current ? self::$current : 'default';
48			return self::get($identifier);
49			}
50
51			/**
52			* Get the available configurations as a map of friendly_name to
53			* configuration name.
54			* @return array
55			*/
56			public static function get_available_configs_map()
57			{
58			$configs = array();
59
60			foreach (self::$configs as $identifier => $config) {
61			$configs[$identifier] = $config->getOption('friendly_name');
62			}
63
64			return $configs;
65			}
66
67			/**
68			* Holder for all TinyMCE settings _except_ plugins and buttons
69			*/
70			protected $settings = array(
71			'friendly_name' => '(Please set a friendly name for this config)',
72			'priority' => 0,
73			'mode' => "specific_textareas",
74			'editor_selector' => "htmleditor",
75			'width' => "100%",
76			'auto_resize' => false,
77			'theme' => "advanced",
78
79			'theme_advanced_layout_manager' => "SimpleLayout",
80			'theme_advanced_toolbar_location' => "top",
81			'theme_advanced_toolbar_align' => "left",
82			'theme_advanced_toolbar_parent' => "right",
83
84			'blockquote_clear_tag' => "p",
85			'table_inline_editing' => true,
86
87			'safari_warning' => false,
88			'relative_urls' => true,
89			'verify_html' => true,
90
91			);
92
93			/**
94			* Holder list of enabled plugins
95			*/
96			protected $plugins = array(
97			'contextmenu' => null,
98			'table' => null,
99			'emotions' => null,
100			'paste' => null,
101			'advcode' => '../../../sapphire/thirdparty/tinymce-advcode/editor_plugin_src.js',
102			'spellchecker' => null
103			);
104
105			/**
106			* Holder list of buttons, organised by line
107			*/
108			protected $buttons = array(
109			1 => array('bold','italic','underline','strikethrough','separator','justifyleft','justifycenter','justifyright','justifyfull','formatselect','separator','bullist','numlist','outdent','indent','blockquote','hr','charmap'),
110			2 => array('undo','redo','separator','cut','copy','paste','pastetext','pasteword','spellchecker','separator','advcode','search','replace','selectall','visualaid','separator','tablecontrols'),
111			3 => array()
112			);
113
114			/**
115			* Get the current value of an option
116			* @param $k string - The key of the option to get
117			* @return mixed - The value of the specified option
118			*/
119			public function getOption($k)
120			{
121			if (isset($this->settings[$k])) {
122			return $this->settings[$k];
123			}
124			}
125
126			/**
127			* Set the value of one option
128			* @param $k string - The key of the option to set
129			* @param $v mixed - The value of the option to set
130			* @return mixed - $v returned for chaining
131			*/
132			public function setOption($k, $v)
133			{
134			return $this->settings[$k] = $v;
135			}
136
137			/**
138			* Set multiple options
139			* @param $a array - The options to set, as keys and values of the array
140			* @return null
141			*/
142			public function setOptions($a)
143			{
144			foreach ($a as $k=>$v) {
145			$this->settings[$k] = $v;
146			}
147			}
148
149			/**
150			* Enable one or several plugins. Will maintain unique list if already
151			* enabled plugin is re-passed. If passed in as a map of plugin-name to path,
152			* the plugin will be loaded by tinymce.PluginManager.load() instead of through tinyMCE.init().
153			* Keep in mind that these externals plugins require a dash-prefix in their name.
154			*
155			* @see http://wiki.moxiecode.com/index.php/TinyMCE:API/tinymce.PluginManager/load
156			*
157			* @param String [0..] a string, or several strings, or a single array of strings - The plugins to enable
158			* @return null
159			*/
160			public function enablePlugins()
161			{
162			$plugins = func_get_args();
163			if (is_array(current($plugins))) {
164			$plugins = current($plugins);
165			}
166			foreach ($plugins as $plugin => $path) {
167			// if plugins are passed without a path
168			if (is_numeric($plugin)) {
169			$plugin = $path;
170			$path = null;
171			}
172			if (!array_key_exists($plugin, $this->plugins)) {
173			$this->plugins[$plugin] = $path;
174			}
175			}
176			}
177
178			/**
179			* Enable one or several plugins. Will properly handle being passed a plugin that is already disabled
180			* @param String [0..] a string, or several strings, or a single array of strings - The plugins to disable
181			* @return null
182			*/
183			public function disablePlugins()
184			{
185			$plugins = func_get_args();
186			if (is_array(current($plugins))) {
187			$plugins = current($plugins);
188			}
189
190			foreach ($plugins as $plugin) {
191			if (array_key_exists($plugin, $this->plugins)) {
192			unset($this->plugins[$plugin]);
193			}
194			}
195			}
196
197			/**
198			* @return Array
199			*/
200			public function getPlugins()
201			{
202			return $this->plugins;
203			}
204
205			/**
206			* Totally re-set the buttons on a given line
207			*
208			* @param integer from 1..3 - The line number to redefine
209			* @param string a string or several strings, or a single array of strings - The button names to make this line contain
210			* @return null
211			*/
212			public function setButtonsForLine()
213			{
214			if (func_num_args() == 2) {
215			list($line, $buttons) = func_get_args();
216			} else {
217			$buttons = func_get_args();
218			$line = array_shift($buttons);
219			}
220			$this->buttons[$line] = is_array($buttons) ? $buttons : array($buttons);
221			}
222
223			/**
224			* Add buttons to the end of a line
225			* @param integer from 1..3
226			* @param string a string, or several strings, or a single array of strings - The button names to add to the end of this line
227			* @return null
228			*/
229			public function addButtonsToLine()
230			{
231			$inserts = func_get_args();
232			$line = array_shift($inserts);
233			if (is_array($inserts[0])) {
234			$inserts = $inserts[0];
235			}
236
237			foreach ($inserts as $button) {
238			$this->buttons[$line][] = $button;
239			}
240			}
241
242			/**
243			* Internal function for adding and removing buttons related to another button
244			* @param $name string - the name of the button to modify
245			* @param $offset integer - the offset relative to that button to perform an array_splice at - 0 for before $name, 1 for after
246			* @param $del integer - the number of buttons to remove at the position given by index(string) + offset
247			* @param $add mixed - an array or single item to insert at the position given by index(string) + offset, or null for no insertion
248			* @return boolean - true if $name matched a button, false otherwise
249			*/
250			protected function modifyButtons($name, $offset, $del=0, $add=null)
251			{
252			foreach ($this->buttons as &$buttons) {
253			if (($idx = array_search($name, $buttons)) !== false) {
254			if ($add) {
255			array_splice($buttons, $idx+$offset, $del, $add);
256			} else {
257			array_splice($buttons, $idx+$offset, $del, $add);
258			}
259			return true;
260			}
261			}
262			return false;
263			}
264
265			/**
266			* Insert buttons before the first occurance of another button
267			* @param string - the name of the button to insert other buttons before
268			* @param string a string, or several strings, or a single array of strings - the button names to insert before that button
269			* @return boolean - true if insertion occured, false if it did not (because the given button name was not found)
270			*/
271			public function insertButtonsBefore()
272			{
273			$inserts = func_get_args();
274			$before = array_shift($inserts);
275			return $this->modifyButtons($before, 0, 0, $inserts);
276			}
277
278			/**
279			* Insert buttons after the first occurance of another button
280			* @param string - the name of the button to insert other buttons after
281			* @param string a string, or several strings, or a single array of strings - the button names to insert after that button
282			* @return boolean - true if insertion occured, false if it did not (because the given button name was not found)
283			*/
284			public function insertButtonsAfter()
285			{
286			$inserts = func_get_args();
287			$after = array_shift($inserts);
288			return $this->modifyButtons($after, 1, 0, $inserts);
289			}
290
291			/**
292			* Remove the first occurance of buttons
293			* @param string one or more strings - the name of the buttons to remove
294			* @return null
295			*/
296			public function removeButtons()
297			{
298			$removes = func_get_args();
299			foreach ($removes as $button) {
300			$this->modifyButtons($button, 0, 1);
301			}
302			}
303
304			/**
305			* Generate the javascript that will set tinyMCE's configuration to that of the current settings of this object
306			* @return string - the javascript
307			*/
308			public function generateJS()
309			{
310			$config = $this->settings;
311
312			// plugins
313			$internalPlugins = array();
314			$externalPluginsJS = '';
315			foreach ($this->plugins as $plugin => $path) {
316			if (!$path) {
317			$internalPlugins[] = $plugin;
318			} else {
319			$internalPlugins[] = '-' . $plugin;
320			$externalPluginsJS .= sprintf(
321			'tinymce.PluginManager.load("%s", "%s");' . "\n",
322			$plugin,
323			$path
324			);
325			}
326			}
327			$config['plugins'] = implode(',', $internalPlugins);
328
329			foreach ($this->buttons as $i=>$buttons) {
330			$config['theme_advanced_buttons'.$i] = implode(',', $buttons);
331			}
332
333			return "
334			if((typeof tinyMCE != 'undefined')) {
335			$externalPluginsJS
336			tinyMCE.init(" . Convert::raw2json($config) . ");
337			}
338			";
339			}
340			}
341

sunnysideup / silverstripe-htmleditoroptions

Issues (4)

Security Analysis no request data

code/BasicHtmlEditorConfig.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like