From 23ab1b93baa71939b2cfbb3969106758775726f5 Mon Sep 17 00:00:00 2001 From: Carlos Garcia Gomez Date: Wed, 4 May 2022 11:04:10 +0200 Subject: [PATCH] Escaped the html of the user not found message (from the cookie). And escaped all the html when displaying values in the debug bar. ------ Escapado el html del mensaje de usuario no encontrado (de la cookie). Y escapado todo el html al mostrar valores en la barra de debug. --- Core/App/AppController.php | 2 +- Core/Base/Debug/DebugBar.php | 71 ++++++------------------------------ 2 files changed, 12 insertions(+), 61 deletions(-) diff --git a/Core/App/AppController.php b/Core/App/AppController.php index 0dd563c518..1910311926 100644 --- a/Core/App/AppController.php +++ b/Core/App/AppController.php @@ -318,7 +318,7 @@ private function cookieAuth(User &$user) return false; } - ToolBox::i18nLog()->warning('login-user-not-found', ['%nick%' => $cookieNick]); + ToolBox::i18nLog()->warning('login-user-not-found', ['%nick%' => htmlspecialchars($cookieNick)]); return false; } diff --git a/Core/Base/Debug/DebugBar.php b/Core/Base/Debug/DebugBar.php index b2cf204fcb..c4cd58a23b 100644 --- a/Core/Base/Debug/DebugBar.php +++ b/Core/Base/Debug/DebugBar.php @@ -41,17 +41,11 @@ class DebugBar extends DumbBar */ private static $init = []; - /** - * @param string $task - */ public static function end(string $task = '') { self::$end[$task] = microtime(true); } - /** - * @return string - */ public function render(): string { $items = []; @@ -65,38 +59,23 @@ public function render(): string return '
' . $this->renderSections($items) . '
'; } - /** - * @return string - */ public function renderHead(): string { return '' . ''; } - /** - * @param string $task - */ public static function start(string $task = '') { self::$init[$task] = microtime(true); } - /** - * @param array $items - * @param string $label - * @param array $data - * @param bool $counter - */ private function addItem(array &$items, string $label, array $data, bool $counter = false) { $key = 1 + count($items); $items[$key] = ['label' => $label, 'data' => $data, 'counter' => $counter]; } - /** - * @param array $items - */ private function addItemAssets(array &$items) { foreach (['css', 'js'] as $type) { @@ -108,9 +87,6 @@ private function addItemAssets(array &$items) } } - /** - * @param array $items - */ private function addItemInputs(array &$items) { $inputs = [ @@ -128,20 +104,17 @@ private function addItemInputs(array &$items) $data = []; foreach ($rows as $key => $value) { if (is_array($value)) { - $data[] = [htmlspecialchars($key), json_encode($value)]; + $data[] = [$key, json_encode($value)]; continue; } - $data[] = [htmlspecialchars($key), htmlspecialchars($value)]; + $data[] = [$key, $value]; } $this->addItem($items, $label, $data, true); } } - /** - * @param array $items - */ private function addItemLogs(array &$items) { $channels = []; @@ -169,9 +142,6 @@ private function addItemLogs(array &$items) } } - /** - * @param array $items - */ private function addItemMemory(array &$items) { $usage = memory_get_usage(); @@ -186,9 +156,6 @@ private function addItemMemory(array &$items) $this->addItem($items, $label, $data); } - /** - * @param array $items - */ private function addItemTimer(array &$items) { $totalTime = microtime(true) - self::$init['']; @@ -207,9 +174,6 @@ private function addItemTimer(array &$items) $this->addItem($items, $label, $data); } - /** - * @param array $items - */ private function addItemTranslations(array &$items) { $i18n = new Translator(); @@ -220,22 +184,19 @@ private function addItemTranslations(array &$items) } } - /** - * @param int $size - * - * @return string - */ private function getSize(int $size): string { $unit = ['b', 'kb', 'mb', 'gb', 'tb', 'pb']; return round($size / pow(1024, ($i = floor(log($size, 1024)))), 2) . $unit[$i]; } - /** - * @param array $items - * - * @return string - */ + private function noHtml(string $string): string + { + return str_replace( + ['<', '>', '"', "'"], ['<', '>', '"', '''], $string + ); + } + private function renderItems(array $items): string { $html = '
  • ' @@ -254,11 +215,6 @@ private function renderItems(array $items): string return $html; } - /** - * @param array $items - * - * @return string - */ private function renderSections(array $items): string { $html = ''; @@ -271,11 +227,6 @@ private function renderSections(array $items): string return $html; } - /** - * @param array $data - * - * @return string - */ private function renderTable(array $data): string { $html = ''; @@ -283,13 +234,13 @@ private function renderTable(array $data): string foreach ($data as $row) { $count++; if (false === is_array($row)) { - $html .= '' . $row . ''; + $html .= '' . $this->noHtml($row) . ''; continue; } $html .= '#' . $count . ''; foreach ($row as $cell) { - $html .= is_array($cell) ? '' . var_export($cell, true) . '' : '' . $cell . ''; + $html .= is_array($cell) ? '' . var_export($cell, true) . '' : '' . $this->noHtml($cell) . ''; } $html .= ''; }