Skip to content

Commit

Permalink
Init commit
Browse files Browse the repository at this point in the history
  • Loading branch information
jakubboucek committed Apr 13, 2021
0 parents commit d8aa1e8
Show file tree
Hide file tree
Showing 9 changed files with 501 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
.gitattributes export-ignore
.gitignore export-ignore
.github export-ignore
ecs.php export-ignore
tests export-ignore
58 changes: 58 additions & 0 deletions .github/workflows/code_analysis.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Code Analysis

on:
pull_request:
push:

jobs:
code_analysis:
strategy:
fail-fast: false
matrix:
php: ['7.3', '7.4', '8.0']
actions:
- name: PHPStan
run: composer phpstan

- name: Easy Coding Standard
run: composer ecs

- name: Unit tests
run: vendor/bin/tester tests -s -C

name: ${{ matrix.actions.name }} at PHP ${{ matrix.php }}
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v2


# see https://github.com/shivammathur/setup-php
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
extensions: json
coverage: none


# see https://github.com/actions/cache/blob/main/examples.md#php---composer
- name: Get Composer Cache Directory
id: composer-cache
run: |
echo "::set-output name=dir::$(composer config cache-files-dir)"
- uses: actions/cache@v2
with:
path: |
${{ steps.composer-cache.outputs.dir }}
**/composer.lock
key: ${{ runner.os }}-${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }}
restore-keys: |
${{ runner.os }}-${{ matrix.php }}-composer-
- name: Install Composer
run: composer install --no-progress

- run: ${{ matrix.actions.run }}
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/composer.lock
/vendor
21 changes: 21 additions & 0 deletions LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
MIT License

Copyright (c) 2021 Jakub Bouček

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
58 changes: 58 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Escape

PHP library to right escape outputs in your legacy project.

Don't use package for new projects, use [Latte](https://latte.nette.org/) instead.

Package is substrate of [Latte package](https://github.com/nette/latte/)
[filters](https://github.com/nette/latte/blob/master/src/Latte/Runtime/Filters.php).

## Features

- Escape HTML
- Escape HTML attributes
- Escape HTML comments
- Escape JS
- Escape CSS
- Escape URL

## Install

```shell
composer require redbitcz/escape
```

## Usage

Instead:
```php
echo 'Registered user: ' . $username;
```

Use:
```php
echo 'Registered user: ' . \Redbitcz\Escape\Escape::html($username);
```

## FAQ

### Is it support for escaping SQL query?

No, SQL requires access to active SQL connection to right escape. This package is only aloow to escape contexts without
external requrements.

## Contributing
Please don't hesitate send Issue or Pull Request.

## Security
If you discover any security related issues, please email [email protected] instead of using the issue tracker.

## License
The MIT License (MIT). Please see [License File](LICENSE) for more information.

### Origin code licences
- [New BSD License](https://github.com/nette/latte/blob/master/license.md#new-bsd-license)
- [GNU General Public License](https://github.com/nette/latte/blob/master/license.md#gnu-general-public-license)

Copyright (c) 2004, 2014 David Grudl (https://davidgrudl.com) All rights reserved.
Please see [License File](https://github.com/nette/latte/blob/master/license.md) for more information.
37 changes: 37 additions & 0 deletions composer.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"name": "jakubboucek/legacy-escape",
"description": "Right escape data inserted to HTML, CSS, JS and URL. Substrate of Latte/Latte package.",
"type": "library",
"license": [
"MIT",
"BSD-3-Clause",
"GPL-2.0-only",
"GPL-3.0-only"
],
"authors": [
{
"name": "Jakub Bouček",
"email": "[email protected]"
}
],
"require": {
"php": ">= 7.1",
"nette/utils": "^3.1"
},
"require-dev": {
"phpstan/phpstan": "^0.12.83",
"symplify/easy-coding-standard": "^9.2",
"nette/tester": "^2.4"
},
"autoload": {
"psr-4": {
"JakubBoucek\\Escape\\": "src/"
}
},
"scripts": {
"phpstan": "phpstan analyze src --level 7",
"ecs": "ecs",
"ecs-fix": "ecs --fix",
"tester": "tester tests"
}
}
37 changes: 37 additions & 0 deletions ecs.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
<?php

declare(strict_types=1);

use PhpCsFixer\Fixer\ArrayNotation\ArraySyntaxFixer;
use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
use Symplify\EasyCodingStandard\ValueObject\Option;
use Symplify\EasyCodingStandard\ValueObject\Set\SetList;

return static function (ContainerConfigurator $containerConfigurator): void {
$services = $containerConfigurator->services();
$services->set(ArraySyntaxFixer::class)
->call(
'configure',
[
[
'syntax' => 'short',
]
]
);

$parameters = $containerConfigurator->parameters();
$parameters->set(
Option::PATHS,
[
__DIR__ . '/src',
__DIR__ . '/tests',
]
);

$parameters->set(
Option::SETS,
[
SetList::PSR_12,
]
);
};
103 changes: 103 additions & 0 deletions src/Escape.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
<?php

// Intentionally no strict – package is most used to secure legacy projects
// declare(strict_types=1);

namespace JakubBoucek\Escape;

use Nette\Utils\Json;

/**
* Escape funxtions. Uses UTF-8 only.
* Substrate of Filters class from Latte/Latte package
*
* @link https://latte.nette.org/
* @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#Filters
*/
class Escape
{
/**
* Escapes string for use everywhere inside HTML (except for comments)
* @param string|mixed $data
* @return string
*
* @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#27-35
*/
public static function html($data): string
{
return htmlspecialchars((string)$data, ENT_QUOTES | ENT_HTML5 | ENT_SUBSTITUTE);
}

/**
* Escapes string for use inside HTML attribute value.
* @param string|mixed $data
* @return string
*
* @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#_escapeHtmlAttr
*/
public static function htmlAttr($data): string
{
$data = (string)$data;
if (strpos($data, '`') !== false && strpbrk($data, ' <>"\'') === false) {
$data .= ' '; // protection against innerHTML mXSS vulnerability nette/nette#1496
}
return self::html($data);
}

/**
* Escapes string for use inside HTML comments.
* @param string|mixed $data
* @return string
*
* @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#_escapeHtmlComment
*/
public static function htmlComment($data): string
{
$data = (string)$data;
if ($data && ($data[0] === '-' || $data[0] === '>' || $data[0] === '!')) {
$data = ' ' . $data;
}
$data = str_replace('--', '- - ', $data);
if (substr($data, -1) === '-') {
$data .= ' ';
}
return $data;
}

/**
* Escapes string for use inside JS code
* @param mixed $data
* @return string
*
* @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#_escapeJs
*/
public static function js($data): string
{
$json = Json::encode($data);

return str_replace([']]>', '<!', '</'], [']]\u003E', '\u003C!', '<\/'], $json);
}

/**
* Escapes string for use inside CSS code
* @param string|mixed $data
* @return string
*
* @link https://api.nette.org/2.4/source-Latte.Runtime.Filters.php.html#_escapeCss
*/
public static function css($data): string
{
// http://www.w3.org/TR/2006/WD-CSS21-20060411/syndata.html#q6
return addcslashes((string)$data, "\x00..\x1F!\"#$%&'()*+,./:;<=>?@[\\]^`{|}~");
}

/**
* Escapes string for use inside URL
* @param string|mixed $url
* @return string
*/
public static function url($url): string
{
return urlencode((string)$url);
}
}
Loading

0 comments on commit d8aa1e8

Please sign in to comment.