This repository has been archived by the owner on May 1, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 159
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #313 from ins0/fix/xss
[WIP] Fix/Added escape helper to view output
- Loading branch information
Showing
20 changed files
with
383 additions
and
181 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
module/Application/src/Application/Service/HtmlPurifierFactory.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
<?php | ||
|
||
namespace Application\Service; | ||
|
||
use Zend\ServiceManager\FactoryInterface; | ||
use Zend\ServiceManager\ServiceLocatorInterface; | ||
|
||
class HtmlPurifierFactory implements FactoryInterface | ||
{ | ||
/** | ||
* {@inheritDoc} | ||
* | ||
* @return \HTMLPurifier | ||
*/ | ||
public function createService(ServiceLocatorInterface $serviceLocator) | ||
{ | ||
$config = $serviceLocator->get('Config'); | ||
|
||
$options = []; | ||
if (isset($config['htmlpurifier'])) { | ||
$options = $config['htmlpurifier']; | ||
} | ||
|
||
return new \HTMLPurifier($options); | ||
} | ||
} |
20 changes: 20 additions & 0 deletions
20
module/Application/src/Application/View/Helper/SanitizeHtml.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
<?php | ||
|
||
namespace Application\View\Helper; | ||
|
||
use Zend\View\Helper\AbstractHelper; | ||
|
||
class SanitizeHtml extends AbstractHelper | ||
{ | ||
private $htmlPurifier; | ||
|
||
public function __construct(\HTMLPurifier $htmlPurifier) | ||
{ | ||
$this->htmlPurifier = $htmlPurifier; | ||
} | ||
|
||
public function __invoke($dirtyHtml) | ||
{ | ||
return $this->htmlPurifier->purify($dirtyHtml); | ||
} | ||
} |
23 changes: 23 additions & 0 deletions
23
module/Application/src/Application/View/Helper/SanitizeHtmlFactory.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
<?php | ||
|
||
namespace Application\View\Helper; | ||
|
||
use Zend\ServiceManager\FactoryInterface; | ||
use Zend\ServiceManager\ServiceLocatorInterface; | ||
|
||
class SanitizeHtmlFactory implements FactoryInterface | ||
{ | ||
/** | ||
* {@inheritDoc} | ||
* | ||
* @return SanitizeHtml | ||
*/ | ||
public function createService(ServiceLocatorInterface $pluginManager) | ||
{ | ||
/** @var \Zend\View\HelperPluginManager $pluginManager */ | ||
$serviceLocator = $pluginManager->getServiceLocator(); | ||
$htmlPurifier = $serviceLocator->get(\HTMLPurifier::class); | ||
|
||
return new SanitizeHtml($htmlPurifier); | ||
} | ||
} |
19 changes: 19 additions & 0 deletions
19
module/Application/test/ApplicationTest/Integration/Service/HtmlPurifierTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
<?php | ||
|
||
namespace ApplicationTest\Integration\Service; | ||
|
||
use ApplicationTest\Integration\Util\Bootstrap; | ||
use PHPUnit_Framework_TestCase; | ||
|
||
class HtmlPurifierTest extends PHPUnit_Framework_TestCase | ||
{ | ||
public function testServiceCanBeRetrieved() | ||
{ | ||
$serviceManager = Bootstrap::getServiceManager(); | ||
|
||
$this->assertInstanceOf( | ||
\HTMLPurifier::class, | ||
$serviceManager->get(\HTMLPurifier::class) | ||
); | ||
} | ||
} |
37 changes: 37 additions & 0 deletions
37
module/Application/test/ApplicationTest/Integration/View/Helper/SanitizeHtmlTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
<?php | ||
|
||
namespace ApplicationTest\Integration\View\Helper; | ||
|
||
use Application\View\Helper\SanitizeHtml; | ||
use ApplicationTest\Integration\Util\Bootstrap; | ||
use PHPUnit_Framework_TestCase; | ||
|
||
class SanitizeHtmlTest extends PHPUnit_Framework_TestCase | ||
{ | ||
public function testServiceCanBeRetrieved() | ||
{ | ||
$serviceManager = Bootstrap::getServiceManager(); | ||
|
||
/* @var \Zend\View\HelperPluginManager $viewHelperManager */ | ||
$viewHelperManager = $serviceManager->get('ViewHelperManager'); | ||
|
||
$this->assertInstanceOf( | ||
SanitizeHtml::class, | ||
$viewHelperManager->get('sanitizeHtml') | ||
); | ||
} | ||
|
||
public function testHtmlGetsCleaned() | ||
{ | ||
$serviceManager = Bootstrap::getServiceManager(); | ||
|
||
/* @var \Zend\View\HelperPluginManager $viewHelperManager */ | ||
$viewHelperManager = $serviceManager->get('ViewHelperManager'); | ||
|
||
/* @var \Application\View\Helper\SanitizeHtml $sanitizeHtmlHelper */ | ||
$sanitizeHtmlHelper = $viewHelperManager->get('sanitizeHtml'); | ||
|
||
$dirtyHtml = 'Foo<script>alert(\'I_WILL_BE_REMOVED\');</script>Bar'; | ||
$this->assertEquals('FooBar', $sanitizeHtmlHelper->__invoke($dirtyHtml)); | ||
} | ||
} |
31 changes: 31 additions & 0 deletions
31
module/Application/test/ApplicationTest/Service/HtmlPurifierTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
<?php | ||
|
||
namespace ApplicationTest\Integration\View\Helper; | ||
|
||
use Application\Service\HtmlPurifierFactory; | ||
use PHPUnit_Framework_TestCase; | ||
use Zend\ServiceManager\ServiceManager; | ||
|
||
class HtmlPurifierTest extends PHPUnit_Framework_TestCase | ||
{ | ||
public function testConfigCanBePassedToService() | ||
{ | ||
$config = [ | ||
'htmlpurifier' => [ | ||
'HTML.AllowedElements' => 'foo' | ||
] | ||
]; | ||
|
||
$serviceMock = $this->getMock(ServiceManager::class, ['get']); | ||
$serviceMock | ||
->expects($this->once()) | ||
->method('get') | ||
->with($this->equalTo('Config')) | ||
->willReturn($config); | ||
|
||
$factory = new HtmlPurifierFactory(); | ||
$htmlPurifierInstance = $factory->createService($serviceMock); | ||
|
||
$this->assertArrayHasKey('foo', $htmlPurifierInstance->config->get('HTML.AllowedElements')); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,14 @@ | ||
<?php foreach($results as $module) {?> | ||
<?php foreach($results as $module): ?> | ||
<div class="row-fluid"> | ||
<div class="span12"> | ||
<div class="span2"> | ||
<img src="<?php echo $module->getPhotoUrl()?>" alt="<?php echo $module->getName()?>" class="avatar"> | ||
<img src="<?php echo $this->escapeUrl($module->getPhotoUrl()); ?>" alt="<?php echo $this->escapeHtmlAttr($module->getName()); ?>" class="avatar"> | ||
</div> | ||
<div class="span10"> | ||
<a href="<?php echo $module->getUrl()?>"><?php echo $module->getName()?></a><br> | ||
<?php echo $module->getDescription()?> | ||
<a href="<?php echo $this->escapeUrl($module->getUrl()); ?>"><?php echo $this->escapeHtml($module->getName()); ?></a><br> | ||
<?php echo $this->escapeHtml($module->getDescription()); ?> | ||
</div> | ||
</div> | ||
</div> | ||
<hr style="margin:2px;padding:0;"/> | ||
<?php } ?> | ||
<?php endforeach; ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.