Input_Core::xss_clean() - Code Metrics - vijinho/kohana2-legacy - Measure and Improve Code Quality continuously with Scrutinizer

Input_Core::xss_clean() D
last analyzed 2016-08-25 15:53 UTC

↳ Parent: Input_Core
Complexity

Conditions	9
Paths	18
Size

Total Lines	106
Code Lines	39
Duplication

Lines	0
Ratio	0 %
Importance

Changes	2
Bugs	1	Features	0
Metric	Value
cc	9
eloc	39
c	2
b	1
f	0
nc	18
nop	2
dl	0
loc	106
rs	4.8196
How to fix Long Method

<?php defined('SYSPATH') or die('No direct access allowed.');
/**
 * Input library.
 *
 * $Id: Input.php 4346 2009-05-11 17:08:15Z zombor $
 *
 * @package    Core
 * @author     Kohana Team
 * @copyright  (c) 2007-2008 Kohana Team
 * @license    http://kohanaphp.com/license.html
 */
class Input_Core
{

    // Enable or disable automatic XSS cleaning
    protected $use_xss_clean = false;

    // Are magic quotes enabled?
    protected $magic_quotes_gpc = false;

    // IP address of current user
    public $ip_address;

    // Input singleton
    protected static $instance;

    /**
     * Retrieve a singleton instance of Input. This will always be the first
     * created instance of this class.
     *
     * @return  object
     */
    public static function instance()
    {
        if (Input::$instance === null) {
            // Create a new instance
            return new Input;
        }

        return Input::$instance;
    }

    /**
     * Sanitizes global GET, POST and COOKIE data. Also takes care of
     * magic_quotes and register_globals, if they have been enabled.
     *
     * @return  void

     */
    public function __construct()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        // Use XSS clean?
        $this->use_xss_clean = (bool) Kohana::config('core.global_xss_filtering');

        if (Input::$instance === null) {
            // magic_quotes_runtime is enabled
            if (get_magic_quotes_runtime()) {
                set_magic_quotes_runtime(0);
                Kohana::log('debug', 'Disable magic_quotes_runtime! It is evil and deprecated: http://php.net/magic_quotes');
            }

            // magic_quotes_gpc is enabled
            if (get_magic_quotes_gpc()) {
                $this->magic_quotes_gpc = true;
                Kohana::log('debug', 'Disable magic_quotes_gpc! It is evil and deprecated: http://php.net/magic_quotes');
            }

            // register_globals is enabled
            if (ini_get('register_globals')) {
                if (isset($_REQUEST['GLOBALS'])) {
                    // Prevent GLOBALS override attacks
                    exit('Global variable overload attack.');

                }

                // Destroy the REQUEST global
                $_REQUEST = array();

                // These globals are standard and should not be removed
                $preserve = array('GLOBALS', '_REQUEST', '_GET', '_POST', '_FILES', '_COOKIE', '_SERVER', '_ENV', '_SESSION');

                // This loop has the same effect as disabling register_globals
                foreach (array_diff(array_keys($GLOBALS), $preserve) as $key) {
                    global $$key;
                    $$key = null;

                    // Unset the global variable
                    unset($GLOBALS[$key], $$key);
                }

                // Warn the developer about register globals
                Kohana::log('debug', 'Disable register_globals! It is evil and deprecated: http://php.net/register_globals');
            }

            if (is_array($_GET)) {

                foreach ($_GET as $key => $val) {
                    // Sanitize $_GET
                    $_GET[$this->clean_input_keys($key)] = $this->clean_input_data($val);
                }
            } else {
                $_GET = array();
            }

            if (is_array($_POST)) {

                foreach ($_POST as $key => $val) {
                    // Sanitize $_POST
                    $_POST[$this->clean_input_keys($key)] = $this->clean_input_data($val);
                }
            } else {
                $_POST = array();
            }

            if (is_array($_COOKIE)) {
                foreach ($_COOKIE as $key => $val) {
                    // Ignore special attributes in RFC2109 compliant cookies
                    if ($key == '$Version' or $key == '$Path' or $key == '$Domain') {
                        continue;
                    }

                    // Sanitize $_COOKIE
                    $_COOKIE[$this->clean_input_keys($key)] = $this->clean_input_data($val);
                }
            } else {
                $_COOKIE = array();
            }

            // Create a singleton
            Input::$instance = $this;

            Kohana::log('debug', 'Global GET, POST and COOKIE data sanitized');
        }
    }

    /**
     * Fetch an item from the $_GET array.
     *
     * @param   string   key to find
     * @param   mixed    default value
     * @param   boolean  XSS clean the value
     * @return  mixed
     */
    public function get($key = array(), $default = null, $xss_clean = false)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return $this->search_array($_GET, $key, $default, $xss_clean);
    }

    /**
     * Fetch an item from the $_POST array.
     *
     * @param   string   key to find
     * @param   mixed    default value
     * @param   boolean  XSS clean the value
     * @return  mixed
     */
    public function post($key = array(), $default = null, $xss_clean = false)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return $this->search_array($_POST, $key, $default, $xss_clean);
    }

    /**
     * Fetch an item from the $_COOKIE array.
     *
     * @param   string   key to find
     * @param   mixed    default value
     * @param   boolean  XSS clean the value
     * @return  mixed
     */
    public function cookie($key = array(), $default = null, $xss_clean = false)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return $this->search_array($_COOKIE, $key, $default, $xss_clean);
    }

    /**
     * Fetch an item from the $_SERVER array.
     *
     * @param   string   key to find
     * @param   mixed    default value
     * @param   boolean  XSS clean the value
     * @return  mixed
     */
    public function server($key = array(), $default = null, $xss_clean = false)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return $this->search_array($_SERVER, $key, $default, $xss_clean);
    }

    /**
     * Fetch an item from a global array.
     *
     * @param   array    array to search
     * @param   string   key to find
     * @param   mixed    default value
     * @param   boolean  XSS clean the value
     * @return  mixed
     */
    protected function search_array($array, $key, $default = null, $xss_clean = false)
    {
        if ($key === array()) {
            return $array;
        }

        if (! isset($array[$key])) {
            return $default;
        }

        // Get the value
        $value = $array[$key];

        if ($this->use_xss_clean === false and $xss_clean === true) {
            // XSS clean the value
            $value = $this->xss_clean($value);
        }

        return $value;
    }

    /**
     * Fetch the IP Address.
     *
     * @return string
     */
    public function ip_address()
    {
        if ($this->ip_address !== null) {
            return $this->ip_address;
        }

        // Server keys that could contain the client IP address
        $keys = array('HTTP_X_FORWARDED_FOR', 'HTTP_CLIENT_IP', 'REMOTE_ADDR');

        foreach ($keys as $key) {
            if ($ip = $this->server($key)) {
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
                $this->ip_address = $ip;

                // An IP address has been found
                break;
            }
        }

        if ($comma = strrpos($this->ip_address, ',') !== false) {
            $this->ip_address = substr($this->ip_address, $comma + 1);
        }

        if (! valid::ip($this->ip_address)) {
            // Use an empty IP
            $this->ip_address = '0.0.0.0';
        }

        return $this->ip_address;
    }

    /**
     * Clean cross site scripting exploits from string.
     * HTMLPurifier may be used if installed, otherwise defaults to built in method.
     * Note - This function should only be used to deal with data upon submission.
     * It's not something that should be used for general runtime processing
     * since it requires a fair amount of processing overhead.
     *
     * @param   string  data to clean
     * @param   string  xss_clean method to use ('htmlpurifier' or defaults to built-in method)
     * @return  string
     */
    public function xss_clean($data, $tool = null)
    {
        if ($tool === null) {
            // Use the default tool
            $tool = Kohana::config('core.global_xss_filtering');
        }

        if (is_array($data)) {
            foreach ($data as $key => $val) {
                $data[$key] = $this->xss_clean($val, $tool);
            }

            return $data;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
        }

        // Do not clean empty strings
        if (trim($data) === '') {
            return $data;
        }

        if ($tool === true) {
            // NOTE: This is necessary because switch is NOT type-sensative!
            $tool = 'default';
        }

        switch ($tool) {
            case 'htmlpurifier':
                /**
                 * @todo License should go here, http://htmlpurifier.org/
                 */
                if (! class_exists('HTMLPurifier_Config', false)) {
                    // Load HTMLPurifier
                    require Kohana::find_file('vendor', 'htmlpurifier/HTMLPurifier.auto', true);
                    require 'HTMLPurifier.func.php';
                }

                // Set configuration
                $config = HTMLPurifier_Config::createDefault();
                $config->set('HTML', 'TidyLevel', 'none'); // Only XSS cleaning now

                // Run HTMLPurifier
                $data = HTMLPurifier($data, $config);
            break;
            default:
                // http://svn.bitflux.ch/repos/public/popoon/trunk/classes/externalinput.php
                // +----------------------------------------------------------------------+
                // | Copyright (c) 2001-2006 Bitflux GmbH                                 |
                // +----------------------------------------------------------------------+
                // | Licensed under the Apache License, Version 2.0 (the "License");      |
                // | you may not use this file except in compliance with the License.     |
                // | You may obtain a copy of the License at                              |
                // | http://www.apache.org/licenses/LICENSE-2.0                           |
                // | Unless required by applicable law or agreed to in writing, software  |
                // | distributed under the License is distributed on an "AS IS" BASIS,    |
                // | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or      |
                // | implied. See the License for the specific language governing         |
                // | permissions and limitations under the License.                       |
                // +----------------------------------------------------------------------+
                // | Author: Christian Stocker <[email protected]>                        |
                // +----------------------------------------------------------------------+
                //
                // Kohana Modifications:
                // * Changed double quotes to single quotes, changed indenting and spacing
                // * Removed magic_quotes stuff
                // * Increased regex readability:
                //   * Used delimeters that aren't found in the pattern
                //   * Removed all unneeded escapes
                //   * Deleted U modifiers and swapped greediness where needed
                // * Increased regex speed:
                //   * Made capturing parentheses non-capturing where possible
                //   * Removed parentheses where possible
                //   * Split up alternation alternatives
                //   * Made some quantifiers possessive

                // Fix &entity\n;
                $data = str_replace(array('&amp;', '&lt;', '&gt;'), array('&amp;amp;', '&amp;lt;', '&amp;gt;'), $data);
                $data = preg_replace('/(&#*\w+)[\x00-\x20]+;/u', '$1;', $data);
                $data = preg_replace('/(&#x*[0-9A-F]+);*/iu', '$1;', $data);
                $data = html_entity_decode($data, ENT_COMPAT, 'UTF-8');

                // Remove any attribute starting with "on" or xmlns
                $data = preg_replace('#(<[^>]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

                // Remove javascript: and vbscript: protocols
                $data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
                $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
                $data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

                // Only works in IE: <span style="width: expression(alert('Ping!'));"></span>
                $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
                $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
                $data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

                // Remove namespaced elements (we do not need them)
                $data = preg_replace('#</*\w+:\w[^>]*+>#i', '', $data);

                do {
                    // Remove really unwanted tags
                    $old_data = $data;
                    $data = preg_replace('#</*(?:applet|b(?:ase|gsound|link)|embed|frame(?:set)?|i(?:frame|layer)|l(?:ayer|ink)|meta|object|s(?:cript|tyle)|title|xml)[^>]*+>#i', '', $data);
                } while ($old_data !== $data);
            break;
        }

        return $data;
    }

    /**
     * This is a helper method. It enforces W3C specifications for allowed
     * key name strings, to prevent malicious exploitation.
     *
     * @param   string  string to clean
     * @return  string
     */
    public function clean_input_keys($str)
    {
        $chars = PCRE_UNICODE_PROPERTIES ? '\pL' : 'a-zA-Z';

        if (! preg_match('#^['.$chars.'0-9:_.-]++$#uD', $str)) {
            exit('Disallowed key characters in global data.');

        }

        return $str;
    }

    /**
     * This is a helper method. It escapes data and forces all newline
     * characters to "\n".
     *
     * @param   unknown_type  string to clean
     * @return  string
     */
    public function clean_input_data($str)
    {
        if (is_array($str)) {

            $new_array = array();
            foreach ($str as $key => $val) {
                // Recursion!
                $new_array[$this->clean_input_keys($key)] = $this->clean_input_data($val);
            }
            return $new_array;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
        }

        if ($this->magic_quotes_gpc === true) {
            // Remove annoying magic quotes
            $str = stripslashes($str);
        }

        if ($this->use_xss_clean === true) {
            $str = $this->xss_clean($str);
        }

        if (strpos($str, "\r") !== false) {
            // Standardize newlines
            $str = str_replace(array("\r\n", "\r"), "\n", $str);
        }

        return $str;
    }
} // End Input Class

vijinho / kohana2-legacy

Input_Core::xss_clean() D last analyzed 2016-08-25 15:53 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like

Input_Core::xss_clean() D
last analyzed 2016-08-25 15:53 UTC
