Move out escaping function to central place

minkphp · Mar 4, 2016 · 7b3315a · 7b3315a
1 parent 232919c
commit 7b3315a
Showing 9 changed files with 47 additions and 20 deletions.
diff --git a/driver-testsuite/tests/Form/GeneralTest.php b/driver-testsuite/tests/Form/GeneralTest.php
@@ -207,7 +207,7 @@ public function testAdvancedForm()
 array (
   'agreement' = 'on',
   'email' = '[email protected]',
-  'first_name' = 'Foo "item"',
+  'first_name' = 'Foo &quot;item&quot;',
   'last_name' = 'Bar',
   'notes' = 'new notes',
   'select_number' = '30',

diff --git a/driver-testsuite/web-fixtures/advanced_form_post.php b/driver-testsuite/web-fixtures/advanced_form_post.php
@@ -8,19 +8,18 @@
 <?php
 error_reporting(0);
 
+require_once 'utils.php';
+
 if (isset($_POST['select_multiple_numbers']) && false !== strpos($_POST['select_multiple_numbers'][0], ',')) {
     $_POST['select_multiple_numbers'] = explode(',', $_POST['select_multiple_numbers'][0]);
 }
 
 $_POST['agreement'] = isset($_POST['agreement']) ? 'on' : 'off';
 ksort($_POST);
-foreach ($_POST as $key => $value) {
-	$post_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars(var_export($value, TRUE), ENT_QUOTES, 'UTF-8');
-}
-echo str_replace('>', '', var_export($post_for_printing, true)) . "\n";
+echo str_replace('>', '', var_export(html_escape_value($_POST), true)) . "\n";
 if (isset($_FILES['about']) && file_exists($_FILES['about']['tmp_name'])) {
-    echo htmlspecialchars($_FILES['about']['name'], ENT_QUOTES, 'UTF-8') . "\n";
-    echo htmlspecialchars(file_get_contents($_FILES['about']['tmp_name'], ENT_QUOTES, 'UTF-8'));
+    echo html_escape_value($_FILES['about']['name']) . "\n";
+    echo html_escape_value(file_get_contents($_FILES['about']['tmp_name']));
 } else {
     echo "no file";
 }

diff --git a/driver-testsuite/web-fixtures/basic_form_post.php b/driver-testsuite/web-fixtures/basic_form_post.php
@@ -5,8 +5,12 @@
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
 </head>
 <body>
-    <h1>Anket for <?php echo htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8') ?></h1>
-    <span id="first">Firstname: <?php echo htmlspecialchars($_POST['first_name'], ENT_QUOTES, 'UTF-8') ?></span>
-    <span id="last">Lastname: <?php echo htmlspecialchars($_POST['last_name'], ENT_QUOTES, 'UTF-8') ?></span>
+    <?php
+        require_once 'utils.php';
+    ?>
+    <h1>Anket for <?php echo html_escape_value($_POST['first_name']) ?></h1>
+
+    <span id="first">Firstname: <?php echo html_escape_value($_POST['first_name']) ?></span>
+    <span id="last">Lastname: <?php echo html_escape_value($_POST['last_name']) ?></span>
 </body>
 </html>
diff --git a/driver-testsuite/web-fixtures/basic_get_form.php b/driver-testsuite/web-fixtures/basic_get_form.php
@@ -8,7 +8,10 @@
     <h1>Basic Get Form Page</h1>
 
     <div id="serach">
-        <?php echo isset($_GET['q']) && $_GET['q'] ? htmlspecialchars($_GET['q'], ENT_QUOTES, 'UTF-8') : 'No search query' ?>
+        <?php
+            require_once 'utils.php';
+            echo isset($_GET['q']) && $_GET['q'] ? html_escape_value($_GET['q']) : 'No search query';
+        ?>
     </div>
 
     <form>

diff --git a/driver-testsuite/web-fixtures/cookie_page2.php b/driver-testsuite/web-fixtures/cookie_page2.php
@@ -5,6 +5,9 @@
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
 </head>
 <body>
-    Previous cookie: <?php echo isset($_COOKIE['srvr_cookie']) ? htmlspecialchars($_COOKIE['srvr_cookie'], ENT_QUOTES, 'UTF-8') : 'NO'; ?>
+    Previous cookie: <?php
+        require_once 'utils.php';
+        echo isset($_COOKIE['srvr_cookie']) ? html_escape_value($_COOKIE['srvr_cookie']) : 'NO';
+    ?>
 </body>
 </html>
diff --git a/driver-testsuite/web-fixtures/issue130.php b/driver-testsuite/web-fixtures/issue130.php
@@ -2,10 +2,12 @@
 <html>
 <body>
     <?php
+    require_once 'utils.php';
+
     if ('1' === $_GET['p']) {
         echo '<a href="issue130.php?p=2">Go to 2</a>';
     } else {
-        echo '<strong>'.htmlspecialchars($_SERVER['HTTP_REFERER'], ENT_QUOTES, 'UTF-8').'</strong>';
+        echo '<strong>'.html_escape_value($_SERVER['HTTP_REFERER']).'</strong>';
     }
     ?>
 </body>
diff --git a/driver-testsuite/web-fixtures/issue140.php b/driver-testsuite/web-fixtures/issue140.php
@@ -1,8 +1,10 @@
 <?php
+require_once 'utils.php';
+
 if (!empty($_POST)) {
     setcookie("tc", $_POST['cookie_value'], null, '/');
 } elseif (isset($_GET["show_value"])) {
-    echo htmlspecialchars($_COOKIE["tc"],  ENT_QUOTES, 'UTF-8');
+    echo html_escape_value($_COOKIE["tc"]);
     die();
 }
 ?>

diff --git a/driver-testsuite/web-fixtures/print_cookies.php b/driver-testsuite/web-fixtures/print_cookies.php
@@ -5,11 +5,9 @@
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
 </head>
 <body>
-	<?php
-	foreach ($_COOKIE as $key => $value) {
-		$cookie_for_printing[htmlspecialchars($key, ENT_QUOTES, 'UTF-8')] = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');
-	}
-	?>
-    <?php echo str_replace('>', '', var_export($cookie_for_printing, true)); ?>
+    <?php
+        require_once 'utils.php';
+        echo str_replace('>', '', var_export(html_escape_value($_COOKIE), true));
+    ?>
 </body>
 </html>
diff --git a/driver-testsuite/web-fixtures/utils.php b/driver-testsuite/web-fixtures/utils.php
@@ -0,0 +1,16 @@
+<?php
+
+function html_escape_value($data)
+{
+    if (!is_array($data)) {
+        return htmlspecialchars($data, ENT_QUOTES, 'UTF-8', false);
+    }
+
+    $escapedData = array();
+
+    foreach ($data as $key => $value) {
+        $escapedData[html_escape_value($key)] = html_escape_value($value);
+    }
+
+    return $escapedData;
+}