title) ?>
+ *
+ */
+ static function purify($html) {
+ return SafeString::purify($html);
+ }
+
+ /**
+ * Flags the given string as safe to be used in HTML (free of malicious HTML/JS).
+ *
+ * Example:
+ * // Parameters to t() are automatically escaped by default.
+ * // If the parameter is marked as safe, it won't get escaped.
+ * t('Go there',
+ * array("url" => html::mark_safe(url::current())))
+ *
+ */
+ static function mark_safe($html) {
+ return SafeString::of_safe_html($html);
+ }
+
+ /**
+ * Escapes the given string for use in JavaScript.
+ *
+ * Example:
+ *
+ *
+ */
+ static function js_string($string) {
+ return SafeString::of($string)->for_js();
+ }
+
+ /**
+ * Returns a string safe for use in HTML element attributes.
+ *
+ * Assumes that the HTML element attribute is already
+ * delimited by single or double quotes
+ *
+ * Example:
+ * ;
+ *
+ *
+ * @return the string escaped for use in HTML attributes.
+ */
+ static function clean_attribute($string) {
+ return self::clean($string)->for_html_attr();
+ }
+}
diff --git a/modules/gallery/helpers/gallery.php b/modules/gallery/helpers/gallery.php
index 122227fc..035ed1da 100644
--- a/modules/gallery/helpers/gallery.php
+++ b/modules/gallery/helpers/gallery.php
@@ -92,7 +92,7 @@ class gallery_Core {
$can_add = $item && access::can("add", $item);
if ($can_add) {
- $menu->append($add_menu = Menu::factory("submenu")
+ $menu->append($add_menu = Menu::factory("submenu")
->id("add_menu")
->label(t("Add")));
$add_menu->append(Menu::factory("dialog")
@@ -100,11 +100,11 @@ class gallery_Core {
->label(t("Add photos"))
->url(url::site("simple_uploader/app/$item->id")));
if ($item->is_album()) {
- $add_menu->append(Menu::factory("dialog")
+ $add_menu->append(Menu::factory("dialog")
->id("add_album_item")
->label(t("Add an album"))
->url(url::site("form/add/albums/$item->id?type=album")));
- }
+ }
}
$menu->append($options_menu = Menu::factory("submenu")
diff --git a/modules/gallery/helpers/gallery_rss.php b/modules/gallery/helpers/gallery_rss.php
index 8e887368..dee6ae40 100644
--- a/modules/gallery/helpers/gallery_rss.php
+++ b/modules/gallery/helpers/gallery_rss.php
@@ -53,9 +53,9 @@ class gallery_rss_Core {
->descendants($limit, $offset, array("type" => "photo"));
$feed->max_pages = ceil(
$item->viewable()->descendants_count(array("type" => "photo")) / $limit);
- $feed->title = p::purify($item->title);
+ $feed->title = html::purify($item->title);
$feed->link = url::abs_site("albums/{$item->id}");
- $feed->description = nl2br(p::purify($item->description));
+ $feed->description = nl2br(html::purify($item->description));
return $feed;
}
diff --git a/modules/gallery/helpers/gallery_task.php b/modules/gallery/helpers/gallery_task.php
index 9edc3acd..c9557324 100644
--- a/modules/gallery/helpers/gallery_task.php
+++ b/modules/gallery/helpers/gallery_task.php
@@ -64,10 +64,10 @@ class gallery_task_Core {
if (!$success) {
$ignored[$item->id] = 1;
$errors[] = t("Unable to rebuild images for '%title'",
- array("title" => p::purify($item->title)));
+ array("title" => html::purify($item->title)));
} else {
$errors[] = t("Successfully rebuilt images for '%title'",
- array("title" => p::purify($item->title)));
+ array("title" => html::purify($item->title)));
}
}
diff --git a/modules/gallery/helpers/graphics.php b/modules/gallery/helpers/graphics.php
index a20c58dd..787f8dc3 100644
--- a/modules/gallery/helpers/graphics.php
+++ b/modules/gallery/helpers/graphics.php
@@ -443,7 +443,7 @@ class graphics_Core {
if (!module::get_var("gallery", "graphics_toolkit")) {
site_status::warning(
t("Graphics toolkit missing! Please
choose a toolkit",
- array("url" => url::site("admin/graphics"))),
+ array("url" => html::mark_safe(url::site("admin/graphics")))),
"missing_graphics_toolkit");
}
}
diff --git a/modules/gallery/helpers/p.php b/modules/gallery/helpers/p.php
deleted file mode 100644
index 862c769b..00000000
--- a/modules/gallery/helpers/p.php
+++ /dev/null
@@ -1,39 +0,0 @@
- $key_value) {
- foreach ($key_value as $key => $value) {
- $config->set("$category.$key", $value);
- }
- }
- self::$_purifier = new HTMLPurifier($config);
- }
- return self::$_purifier->purify($dirty_html);
- }
-}
diff --git a/modules/gallery/libraries/I18n.php b/modules/gallery/libraries/I18n.php
index d0531b9a..c3336052 100644
--- a/modules/gallery/libraries/I18n.php
+++ b/modules/gallery/libraries/I18n.php
@@ -89,6 +89,12 @@ class I18n_Core {
/**
* Translates a localizable message.
+ *
+ * Security:
+ * The returned string is safe for use in HTML (it contains a safe subset of HTML and
+ * interpolation parameters are converted to HTML entities).
+ * For use in JavaScript, please call ->for_js() on it.
+ *
* @param $message String|array The message to be translated. E.g. "Hello world"
* or array("one" => "One album", "other" => "%count albums")
* @param $options array (optional) Options array for key value pairs which are used
@@ -115,7 +121,7 @@ class I18n_Core {
$entry = $this->interpolate($locale, $entry, $values);
- return $entry;
+ return SafeString::of_safe_html($entry);
}
private function lookup($locale, $message) {
@@ -184,17 +190,19 @@ class I18n_Core {
return is_array($message);
}
- private function interpolate($locale, $string, $values) {
+ private function interpolate($locale, $string, $key_values) {
// TODO: Handle locale specific number formatting.
// Replace x_y before replacing x.
- krsort($values, SORT_STRING);
+ krsort($key_values, SORT_STRING);
$keys = array();
- foreach (array_keys($values) as $key) {
+ $values = array();
+ foreach ($key_values as $key => $value) {
$keys[] = "%$key";
+ $values[] = new SafeString($value);
}
- return str_replace($keys, array_values($values), $string);
+ return str_replace($keys, $values, $string);
}
private function pluralize($locale, $entry, $count) {
@@ -419,4 +427,4 @@ class I18n_Core {
return $count == 1 ? 'one' : 'other';
}
}
-}
\ No newline at end of file
+}
diff --git a/modules/gallery/libraries/MY_ORM.php b/modules/gallery/libraries/MY_ORM.php
index de8adc1d..2c9ad1d7 100644
--- a/modules/gallery/libraries/MY_ORM.php
+++ b/modules/gallery/libraries/MY_ORM.php
@@ -43,6 +43,10 @@ class ORM extends ORM_Core {
$this->original = clone $this;
}
+ if ($value instanceof SafeString) {
+ $value = $value->unescaped();
+ }
+
return parent::__set($column, $value);
}
diff --git a/modules/gallery/libraries/SafeString.php b/modules/gallery/libraries/SafeString.php
new file mode 100644
index 00000000..cc542e01
--- /dev/null
+++ b/modules/gallery/libraries/SafeString.php
@@ -0,0 +1,169 @@
+_is_safe_html = $string->_is_safe_html;
+ $this->_is_purified_html = $string->_is_purified_html;
+ $string = $string->unescaped();
+ }
+ $this->_raw_string = (string) $string;
+ }
+
+ /**
+ * Factory method returning a new SafeString instance for the given string.
+ */
+ static function of($string) {
+ return new SafeString($string);
+ }
+
+ /**
+ * Factory method returning a new SafeString instance after HTML purifying
+ * the given string.
+ */
+ static function purify($string) {
+ if ($string instanceof SafeString) {
+ $string = $string->unescaped();
+ }
+ $safe_string = self::of_safe_html(self::_purify_for_html($string));
+ $safe_string->_is_purified_html = true;
+ return $safe_string;
+ }
+
+ /**
+ * Factory method returning a new SafeString instance which won't HTML escape.
+ */
+ static function of_safe_html($string) {
+ $safe_string = new SafeString($string);
+ $safe_string->_is_safe_html = true;
+ return $safe_string;
+ }
+
+ /**
+ * Safe for use in HTML.
+ * @see #for_html()
+ */
+ function __toString() {
+ if ($this->_is_safe_html) {
+ return $this->_raw_string;
+ } else {
+ return self::_escape_for_html($this->_raw_string);
+ }
+ }
+
+ /**
+ * Safe for use in HTML.
+ *
+ * Example:
+ *
+ *
+ * @return the string escaped for use in HTML.
+ */
+ function for_html() {
+ return $this;
+ }
+
+ /**
+ * Safe for use as JavaScript string.
+ *
+ * Example:
+ *
+ *
+ * @return the string escaped for use in JavaScript.
+ */
+ function for_js() {
+ return json_encode((string) $this->_raw_string);
+ }
+
+ /**
+ * Safe for use in HTML element attributes.
+ *
+ * Assumes that the HTML element attribute is already
+ * delimited by single or double quotes
+ *
+ * Example:
+ * ;
+ *
+ *
+ * @return the string escaped for use in HTML attributes.
+ */
+ function for_html_attr() {
+ $string = (string) $this->for_html();
+ return strtr($string,
+ array("'"=>"'",
+ '"'=>'"'));
+ }
+
+ /**
+ * Safe for use HTML (purified HTML)
+ *
+ * Example:
+ * purified_html() ?>
+ *
+ * @return the string escaped for use in HTML.
+ */
+ function purified_html() {
+ if ($this->_is_purified_html) {
+ return $this;
+ } else {
+ return self::purify($this);
+ }
+ }
+
+ /**
+ * Returns the raw, unsafe string. Do not use lightly.
+ */
+ function unescaped() {
+ return $this->_raw_string;
+ }
+
+ // Escapes special HTML chars ("<", ">", "&", etc.) to HTML entities.
+ private static function _escape_for_html($dirty_html) {
+ return html::specialchars($dirty_html);
+ }
+
+ // Purifies the string, removing any potentially malicious or unsafe HTML / JavaScript.
+ private static function _purify_for_html($dirty_html) {
+ if (empty(self::$_purifier)) {
+ require_once(dirname(__file__) . "/../lib/HTMLPurifier/HTMLPurifier.auto.php");
+ $config = HTMLPurifier_Config::createDefault();
+ foreach (Kohana::config('purifier') as $category => $key_value) {
+ foreach ($key_value as $key => $value) {
+ $config->set("$category.$key", $value);
+ }
+ }
+ self::$_purifier = new HTMLPurifier($config);
+ }
+ return self::$_purifier->purify($dirty_html);
+ }
+}
diff --git a/modules/gallery/tests/File_Structure_Test.php b/modules/gallery/tests/File_Structure_Test.php
index 8a97e00b..9018f4c6 100644
--- a/modules/gallery/tests/File_Structure_Test.php
+++ b/modules/gallery/tests/File_Structure_Test.php
@@ -177,10 +177,20 @@ class File_Structure_Test extends Unit_Test_Case {
new GalleryCodeFilterIterator(
new RecursiveIteratorIterator(
new RecursiveDirectoryIterator(DOCROOT))));
+ $errors = array();
foreach ($dir as $file) {
- $this->assert_false(
- preg_match('/\t/', file_get_contents($file)),
- "{$file->getPathname()} has tabs in it");
+ $file_as_string = file_get_contents($file);
+ if (preg_match('/\t/', $file_as_string)) {
+ foreach (split("\n", $file_as_string) as $l => $line) {
+ if (preg_match('/\t/', $line)) {
+ $errors[] = "$file:$l has tab(s) ($line)";
+ }
+ }
+ }
+ $file_as_string = null;
+ }
+ if ($errors) {
+ $this->assert_false(true, "tab(s) found:\n" . join("\n", $errors));
}
}
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
new file mode 100644
index 00000000..3623705e
--- /dev/null
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -0,0 +1,55 @@
+world");
+ $this->assert_equal("hello <p >world</p>",
+ $safe_string);
+ $this->assert_true($safe_string instanceof SafeString);
+ }
+
+ public function purify_test() {
+ $safe_string = html::purify("hello
world
");
+ $this->assert_equal("hello
world
",
+ $safe_string);
+ $this->assert_true($safe_string instanceof SafeString);
+ }
+
+ public function mark_safe_test() {
+ $safe_string = html::mark_safe("hello
world
");
+ $this->assert_true($safe_string instanceof SafeString);
+ $safe_string_2 = html::clean($safe_string);
+ $this->assert_equal("hello
world
",
+ $safe_string_2);
+ }
+
+ public function js_string_test() {
+ $string = html::js_string("hello's
world
");
+ $this->assert_equal('"hello\'s
world<\\/p>"',
+ $string);
+ }
+
+ public function clean_attribute_test() {
+ $safe_string = SafeString::of_safe_html("hello's
world
");
+ $safe_string = html::clean_attribute($safe_string);
+ $this->assert_equal("hello's
world
",
+ $safe_string);
+ }
+}
\ No newline at end of file
diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php
new file mode 100644
index 00000000..0895b7dd
--- /dev/null
+++ b/modules/gallery/tests/SafeString_Test.php
@@ -0,0 +1,121 @@
+world");
+ $this->assert_equal("hello <p>world</p>",
+ $safe_string);
+ }
+
+ public function toString_for_safe_string_test() {
+ $safe_string = SafeString::of_safe_html("hello
world
");
+ $this->assert_equal("hello
world
",
+ $safe_string);
+ }
+
+ public function for_html_test() {
+ $safe_string = new SafeString("hello
world
");
+ $this->assert_equal("hello <p>world</p>",
+ $safe_string->for_html());
+ }
+
+ public function safestring_of_safestring_test() {
+ $safe_string = new SafeString("hello
world
");
+ $safe_string_2 = new SafeString($safe_string);
+ $this->assert_true($safe_string_2 instanceof SafeString);
+ $raw_string = $safe_string_2->unescaped();
+ $this->assert_false(is_object($raw_string));
+ $this->assert_equal("hello
world
", $raw_string);
+ $this->assert_equal("hello <p>world</p>", $safe_string_2);
+ }
+
+ public function for_js_test() {
+ $safe_string = new SafeString('"
Foo\'s bar"');
+ $js_string = $safe_string->for_js();
+ $this->assert_equal('"\\"
Foo<\\/em>\'s bar\\""',
+ $js_string);
+ }
+
+ public function for_html_attr_test() {
+ $safe_string = new SafeString('"Foo\'s bar"');
+ $attr_string = $safe_string->for_html_attr();
+ $this->assert_equal('"<em>Foo</em>'s bar"',
+ $attr_string);
+ }
+
+ public function for_html_attr_with_safe_html_test() {
+ $safe_string = SafeString::of_safe_html('"Foo\'s bar"');
+ $attr_string = $safe_string->for_html_attr();
+ $this->assert_equal('"Foo's bar"',
+ $attr_string);
+ }
+
+ public function string_safestring_equality_test() {
+ $safe_string = new SafeString("hello world
");
+ $this->assert_equal("hello world
",
+ $safe_string->unescaped());
+ $escaped_string = "hello <p>world</p>";
+ $this->assert_equal($escaped_string, $safe_string);
+
+ $this->assert_true($escaped_string == $safe_string);
+ $this->assert_false($escaped_string === $safe_string);
+ $this->assert_false("meow" == $safe_string);
+ }
+
+ public function of_test() {
+ $safe_string = SafeString::of("hello world
");
+ $this->assert_equal("hello world
", $safe_string->unescaped());
+ }
+
+ public function of_safe_html_test() {
+ $safe_string = SafeString::of_safe_html("hello world
");
+ $this->assert_equal("hello world
", $safe_string->for_html());
+ }
+
+ public function purify_test() {
+ $safe_string = SafeString::purify("hello world
");
+ $this->assert_equal("hello world
", $safe_string);
+ }
+
+ public function of_fluid_api_test() {
+ $escaped_string = SafeString::of("Foo's bar")->for_js();
+ $this->assert_equal('"Foo\'s bar"', $escaped_string);
+ }
+
+ public function safestring_of_safestring_preserves_safe_status_test() {
+ $safe_string = SafeString::of_safe_html("hello's world
");
+ $safe_string_2 = new SafeString($safe_string);
+ $this->assert_equal("hello's world
", $safe_string_2);
+ $this->assert_equal('"hello\'s world<\\/p>"', $safe_string_2->for_js());
+ }
+
+ public function safestring_of_safestring_preserves_html_safe_status_test() {
+ $safe_string = SafeString::of_safe_html("hello's
world
");
+ $safe_string_2 = new SafeString($safe_string);
+ $this->assert_equal("hello's world
", $safe_string_2);
+ $this->assert_equal('"hello\'s world<\\/p>"', $safe_string_2->for_js());
+ }
+
+ public function safestring_of_safestring_safe_status_override_test() {
+ $safe_string = new SafeString("hello
world
");
+ $safe_string_2 = SafeString::of_safe_html($safe_string);
+ $this->assert_equal("hello world
", $safe_string_2);
+ }
+}
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 9bde11dc..6c141c52 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -19,87 +19,336 @@
*/
class Xss_Security_Test extends Unit_Test_Case {
public function find_unescaped_variables_in_views_test() {
+ $found = array();
foreach (glob("*/*/views/*.php") as $view) {
- $expr = null;
- $level = 0;
- $php = 0;
- $str = null;
- $in_p_clean = 0;
+ // List of all tokens without whitespace, simplifying parsing.
+ $tokens = array();
foreach (token_get_all(file_get_contents($view)) as $token) {
- if (false /* useful for debugging */) {
- if (is_array($token)) {
- printf("[$str] [$in_p_clean] %-15s %s\n", token_name($token[0]), $token[1]);
- } else {
- printf("[$str] [$in_p_clean] %-15s %s\n", "", $token);
+ if (!is_array($token) || ($token[0] != T_WHITESPACE)) {
+ $tokens[] = $token;
+ }
+ }
+
+ $frame = null;
+ $script_block = 0;
+ $in_script_block = false;
+
+ for ($token_number = 0; $token_number < count($tokens); $token_number++) {
+ $token = $tokens[$token_number];
+
+ // Are we in a block?
+ if (is_array($token) && $token[0] == T_INLINE_HTML) {
+ $inline_html = $token[1];
+ // T_INLINE_HTML blocks can be split. Need to handle the case
+ // where one token has "expr_append($inline_html);
+ }
+
+ // Note: This approach won't catch }i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+ $last_match = array_pop($matches[0]);
+ if (is_array($last_match)) {
+ $closing_script_pos = $last_match[1];
+ } else {
+ $closing_script_pos = $last_match;
+ }
+ }
+ if (preg_match('{]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+ $last_match = array_pop($matches[0]);
+ if (is_array($last_match)) {
+ $opening_script_pos = $last_match[1];
+ } else {
+ $opening_script_pos = $last_match;
+ }
+ }
+ if ($opening_script_pos != $closing_script_pos) {
+ $in_script_block = $opening_script_pos > $closing_script_pos;
}
}
- // If we find a "(" after a "p::clean" then start counting levels of parens and assume
- // that we're inside a p::clean() call until we find the matching close paren.
- if ($token[0] == "(" && ($str == "p::clean" || $str == "p::purify")) {
- $in_p_clean = 1;
- } else if ($token[0] == "(" && $in_p_clean) {
- $in_p_clean++;
- } else if ($token[0] == ")" && $in_p_clean) {
- $in_p_clean--;
- }
-
- // Concatenate runs of strings for convenience, which we use above to figure out if we're
- // inside a p::clean() call or not
- if ($token[0] == T_STRING || $token[0] == T_DOUBLE_COLON) {
- $str .= $token[1];
- } else {
- $str = null;
- }
-
- // Scan for any occurrences of < ? = $variable ? > and store it in $expr
- if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
- $php++;
- } else if ($php && $token[0] == T_CLOSE_TAG) {
- $php--;
- } else if ($php && $token[0] == T_VARIABLE) {
- if (!$expr) {
- $entry = array($token[2], $in_p_clean);
+ // Look and report each instance of < ? = ... ? >
+ if (!is_array($token)) {
+ // A single char token, e.g: ; ( )
+ if ($frame) {
+ $frame->expr_append($token);
}
- $expr .= $token[1];
- } else if ($expr) {
- if ($token[0] == T_OBJECT_OPERATOR) {
- $expr .= $token[1];
- } else if ($token[0] == T_STRING) {
- $expr .= $token[1];
- } else if ($token == "(") {
- $expr .= $token;
- $level++;
- } else if ($level > 0 && $token == ")") {
- $expr .= $token;
- $level--;
- } else if ($level > 0) {
- $expr .= is_array($token) ? $token[1] : $token;
- } else {
- $entry[] = $expr;
- $found[$view][] = $entry;
- $expr = null;
- $entry = null;
+ } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
+ // No need for a stack here - assume < ? = cannot be nested.
+ $frame = self::_create_frame($token, $in_script_block);
+ } else if ($frame && $token[0] == T_CLOSE_TAG) {
+ // Store the < ? = ... ? > block that just ended here.
+ $found[$view][] = $frame;
+ $frame = null;
+ } else if ($frame && $token[0] == T_VARIABLE) {
+ $frame->expr_append($token[1]);
+ if ($token[1] == '$theme') {
+ if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu",
+ "context_menu", "pager", "site_status", "messages", "album_blocks",
+ "album_bottom", "album_top", "body_attributes", "credits",
+ "dynamic_bottom", "dynamic_top", "footer", "head", "header_bottom",
+ "header_top", "page_bottom", "page_top", "photo_blocks", "photo_bottom",
+ "photo_top", "resize_bottom", "resize_top", "sidebar_blocks", "sidebar_bottom",
+ "sidebar_top", "thumb_bottom", "thumb_info", "thumb_top")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("->$method(");
+
+ $token_number += 3;
+ $token = $tokens[$token_number];
+
+ $frame->is_safe_html(true);
+ } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("css", "script", "url")) &&
+ self::_token_matches("(", $tokens, $token_number + 3) &&
+ // Only allow constant strings here
+ self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) {
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("->$method(");
+
+ $token_number += 4;
+ $token = $tokens[$token_number];
+
+ $frame->is_safe_html(true);
+ }
}
+ } else if ($frame && $token[0] == T_STRING) {
+ $frame->expr_append($token[1]);
+ // t() and t2() are special in that they're guaranteed to return a SafeString().
+ if (in_array($token[1], array("t", "t2"))) {
+ if (self::_token_matches("(", $tokens, $token_number + 1)) {
+ $frame->is_safe_html(true);
+ $frame->expr_append("(");
+
+ $token_number++;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "SafeString") {
+ // Looking for SafeString::of(...
+ if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1], array("of", "purify")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
+ // Not checking for of_safe_html(). We want such calls to be marked dirty (thus reviewed).
+
+ $frame->is_safe_html(true);
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("::$method(");
+
+ $token_number += 3;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "json_encode") {
+ if (self::_token_matches("(", $tokens, $token_number + 1)) {
+ $frame->is_safe_js(true);
+ $frame->expr_append("(");
+
+ $token_number++;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "url") {
+ // url methods return safe HTML
+ if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("site", "current", "base", "file", "abs_site", "abs_current",
+ "abs_file", "merge")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
+ $frame->is_safe_html(true);
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("::$method(");
+
+ $token_number += 3;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "html") {
+ if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("clean", "purify", "js_string", "clean_attribute")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
+ // Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("::$method(");
+
+ $token_number += 3;
+ $token = $tokens[$token_number];
+
+ if ("js_string" == $method) {
+ $frame->is_safe_js(true);
+ } else {
+ $frame->is_safe_html(true);
+ }
+ }
+ }
+ } else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
+ $frame->expr_append($token[1]);
+
+ if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) &&
+ in_array($tokens[$token_number + 1][1],
+ array("for_js", "for_html", "purified_html", "for_html_attr")) &&
+ self::_token_matches("(", $tokens, $token_number + 2)) {
+ $method = $tokens[$token_number + 1][1];
+ $frame->expr_append("$method(");
+
+ $token_number += 2;
+ $token = $tokens[$token_number];
+
+ if ("for_js" == $method) {
+ $frame->is_safe_js(true);
+ } else {
+ $frame->is_safe_html(true);
+ }
+ }
+ } else if ($frame) {
+ $frame->expr_append($token[1]);
}
}
}
- $canonical = MODPATH . "gallery/tests/xss_data.txt";
+ /*
+ * Generate the report
+ *
+ * States for uses of < ? = X ? >:
+ * DIRTY_JS:
+ * In
@@ -26,9 +26,9 @@
parents() as $parent): ?>
- - title) ?>
+ - title) ?>
- - title) ?>
+ - title) ?>
@@ -82,27 +82,26 @@
diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php
index 37578855..de6ce0e7 100644
--- a/modules/gallery/views/upgrader.html.php
+++ b/modules/gallery/views/upgrader.html.php
@@ -18,7 +18,7 @@
Gallery is up to date.",
- array("url" => url::site("albums/1"))) ?>
+ array("url" => html::mark_safe(url::site("albums/1")))) ?>