XssProtectionTrait.php at 0a360f7 ⋅ terrylinooo/shieldon

<?php
/**
 * This file is part of the Shieldon package.
 *
 * (c) Terry L. <contact@terryl.in>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 * 
 * php version 7.1.0
 * 
 * @category  Web-security
 * @package   Shieldon
 * @author    Terry Lin <contact@terryl.in>
 * @copyright 2019 terrylinooo
 * @license   https://github.com/terrylinooo/shieldon/blob/2.x/LICENSE MIT
 * @link      https://github.com/terrylinooo/shieldon
 * @see       https://shieldon.io
 */

declare(strict_types=1);

namespace Shieldon\Firewall\Firewall;

use Shieldon\Security\Xss;
use function array_keys;
use function array_search;

/*
 * Xss Protection Trait is loaded in Firewall instance only.
 */
trait XssProtectionTrait
{
    /**
     * Get options from the configuration file.
     * This method is same as `$this->getConfig()` but returning value from array directly.
     *
     * @param string $option  The option of the section in the the configuration.
     * @param string $section The section in the configuration.
     *
     * @return mixed
     */
    abstract protected function getOption(string $option, string $section = '');

    /**
     * Refresh / refetch the server request if needed.
     *
     * @return void
     */
    abstract protected function refreshRequest(): void;

    /**
     * Set up the XSS protection.
     *
     * @return void
     */
    protected function setupXssProtection(): void
    {
        $enable = $this->getOption('xss_protection');
        $protectedList = $this->getOption('xss_protected_list');
        $key = array_search(true, $enable);

        if (empty($key) && empty($protectedList)) {
            return;
        }

        $xss = new Xss();

        $this->cleanPost($enable, $xss);
        $this->cleanGet($enable, $xss);
        $this->cleanCookie($enable, $xss);
        $this->cleanProtectedList($protectedList, $xss);

        $this->refreshRequest();
    }

    /**
     * Clean the $_POST superglobal.
     *
     * @param array $enable The option to enable filtering $_POST.
     * @param Xss   $xss    The Xss instance.
     *
     * @return void
     */
    private function cleanPost(array $enable, Xss $xss): void
    {
        if ($enable['post']) {

            $this->kernel->setClosure(
                'xss_post',
                function () use ($xss) {
                    if (!empty($_POST)) {
                        foreach (array_keys($_POST) as $k) {
                            $_POST[$k] = $xss->clean($_POST[$k]);
                        }
                    }
                }
            );
        }
    }

    /**
     * Clean the $_GET superglobal.
     *
     * @param array $enable The option to enable filtering $_GET.
     * @param Xss   $xss    The Xss instance.
     *
     * @return void
     */
    private function cleanGet(array $enable, Xss $xss): void
    {
        if ($enable['get']) {

            $this->kernel->setClosure(
                'xss_get',
                function () use ($xss) {
                    if (!empty($_GET)) {
                        foreach (array_keys($_GET) as $k) {
                            $_GET[$k] = $xss->clean($_GET[$k]);
                        }
                    }
                }
            );
        }
    }

    /**
     * Clean the $_COOKIE superglobal.
     *
     * @param array $enable The option to enable filtering $_COOKIE.
     * @param Xss   $xss    The Xss instance.
     *
     * @return void
     */
    private function cleanCookie(array $enable, Xss $xss): void
    {
        if ($enable['cookie']) {

            $this->kernel->setClosure(
                'xss_cookie',
                function () use ($xss) {
                    if (!empty($_COOKIE)) {
                        foreach (array_keys($_COOKIE) as $k) {
                            $_COOKIE[$k] = $xss->clean($_COOKIE[$k]);
                        }
                    }
                }
            );
        }
    }

    /**
     * Clean the specific protected varibles.
     *
     * @param array $protectedList The specific variables to be filtered.
     * @param Xss   $xss           The Xss instance.
     *
     * @return void
     */
    private function cleanProtectedList(array $protectedList, Xss $xss): void
    {
        if (!empty($protectedList)) {

            $this->kernel->setClosure(
                'xss_protection', 
                function () use ($xss, $protectedList) {
                    foreach ($protectedList as $v) {
                        $k = $v['variable'] ?? 'undefined';
        
                        switch ($v['type']) {
                            case 'get':
                                if (!empty($_GET[$k])) {
                                    $_GET[$k] = $xss->clean($_GET[$k]);
                                }
                                break;
        
                            case 'post':
                                if (!empty($_POST[$k])) {
                                    $_POST[$k] = $xss->clean($_POST[$k]);
                                }
                                break;
        
                            case 'cookie':
                                if (!empty($_COOKIE[$k])) {
                                    $_COOKIE[$k] = $xss->clean($_COOKIE[$k]);
                                }
                                break;
                        }
                    }
                }
            );
        }
    }
}

Read our documentation on viewing source code .

1		<?php
2		/**
3		* This file is part of the Shieldon package.
4		*
5		* (c) Terry L. <contact@terryl.in>
6		*
7		* For the full copyright and license information, please view the LICENSE
8		* file that was distributed with this source code.
9		*
10		* php version 7.1.0
11		*
12		* @category Web-security
13		* @package Shieldon
14		* @author Terry Lin <contact@terryl.in>
15		* @copyright 2019 terrylinooo
16		* @license https://github.com/terrylinooo/shieldon/blob/2.x/LICENSE MIT
17		* @link https://github.com/terrylinooo/shieldon
18		* @see https://shieldon.io
19		*/
20
21		declare(strict_types=1);
22
23		namespace Shieldon\Firewall\Firewall;
24
25		use Shieldon\Security\Xss;
26		use function array_keys;
27		use function array_search;
28
29		/*
30		* Xss Protection Trait is loaded in Firewall instance only.
31		*/
32		trait XssProtectionTrait
33		{
34		/**
35		* Get options from the configuration file.
36		* This method is same as `$this->getConfig()` but returning value from array directly.
37		*
38		* @param string $option The option of the section in the the configuration.
39		* @param string $section The section in the configuration.
40		*
41		* @return mixed
42		*/
43		abstract protected function getOption(string $option, string $section = '');
44
45		/**
46		* Refresh / refetch the server request if needed.
47		*
48		* @return void
49		*/
50		abstract protected function refreshRequest(): void;
51
52		/**
53		* Set up the XSS protection.
54		*
55		* @return void
56		*/
57	3	protected function setupXssProtection(): void
58		{
59	3	$enable = $this->getOption('xss_protection');
60	3	$protectedList = $this->getOption('xss_protected_list');
61	3	$key = array_search(true, $enable);
62
63	3	if (empty($key) && empty($protectedList)) {
64	3	return;
65		}
66
67	3	$xss = new Xss();
68
69	3	$this->cleanPost($enable, $xss);
70	3	$this->cleanGet($enable, $xss);
71	3	$this->cleanCookie($enable, $xss);
72	3	$this->cleanProtectedList($protectedList, $xss);
73
74	3	$this->refreshRequest();
75		}
76
77		/**
78		* Clean the $_POST superglobal.
79		*
80		* @param array $enable The option to enable filtering $_POST.
81		* @param Xss $xss The Xss instance.
82		*
83		* @return void
84		*/
85	3	private function cleanPost(array $enable, Xss $xss): void
86		{
87	3	if ($enable['post']) {
88
89	3	$this->kernel->setClosure(
90	3	'xss_post',
91		function () use ($xss) {
92	3	if (!empty($_POST)) {
93	3	foreach (array_keys($_POST) as $k) {
94	3	$_POST[$k] = $xss->clean($_POST[$k]);
95		}
96		}
97		}
98		);
99		}
100		}
101
102		/**
103		* Clean the $_GET superglobal.
104		*
105		* @param array $enable The option to enable filtering $_GET.
106		* @param Xss $xss The Xss instance.
107		*
108		* @return void
109		*/
110	3	private function cleanGet(array $enable, Xss $xss): void
111		{
112	3	if ($enable['get']) {
113
114	3	$this->kernel->setClosure(
115	3	'xss_get',
116		function () use ($xss) {
117	3	if (!empty($_GET)) {
118	3	foreach (array_keys($_GET) as $k) {
119	3	$_GET[$k] = $xss->clean($_GET[$k]);
120		}
121		}
122		}
123		);
124		}
125		}
126
127		/**
128		* Clean the $_COOKIE superglobal.
129		*
130		* @param array $enable The option to enable filtering $_COOKIE.
131		* @param Xss $xss The Xss instance.
132		*
133		* @return void
134		*/
135	3	private function cleanCookie(array $enable, Xss $xss): void
136		{
137	3	if ($enable['cookie']) {
138
139	3	$this->kernel->setClosure(
140	3	'xss_cookie',
141		function () use ($xss) {
142	3	if (!empty($_COOKIE)) {
143	3	foreach (array_keys($_COOKIE) as $k) {
144	3	$_COOKIE[$k] = $xss->clean($_COOKIE[$k]);
145		}
146		}
147		}
148		);
149		}
150		}
151
152		/**
153		* Clean the specific protected varibles.
154		*
155		* @param array $protectedList The specific variables to be filtered.
156		* @param Xss $xss The Xss instance.
157		*
158		* @return void
159		*/
160	3	private function cleanProtectedList(array $protectedList, Xss $xss): void
161		{
162	3	if (!empty($protectedList)) {
163
164	3	$this->kernel->setClosure(
165	3	'xss_protection',
166		function () use ($xss, $protectedList) {
167	3	foreach ($protectedList as $v) {
168	3	$k = $v['variable'] ?? 'undefined';
169
170	3	switch ($v['type']) {
171	3	case 'get':
172	3	if (!empty($_GET[$k])) {
173	3	$_GET[$k] = $xss->clean($_GET[$k]);
174		}
175	3	break;
176
177	3	case 'post':
178	3	if (!empty($_POST[$k])) {
179	3	$_POST[$k] = $xss->clean($_POST[$k]);
180		}
181	3	break;
182
183	3	case 'cookie':
184	3	if (!empty($_COOKIE[$k])) {
185	3	$_COOKIE[$k] = $xss->clean($_COOKIE[$k]);
186		}
187	3	break;
188		}
189		}
190		}
191		);
192		}
193		}
194		}

Navigation	Overlay
`t` Navigate files	`h` Toggle hits
`y` Change url to tip of branch	`m` Toggle misses
`b / v` Jump to prev/next hit line	`p` Toggle partial
`z / x` Jump to prev/next missed or partial line	`1..9` Toggle flags
`shift + o` Open current page in GitHub	`a` Toggle all on
`/ or ?` Show keyboard shortcuts dialog	`c` Toggle context lines or commits