Created
October 25, 2018 11:04
-
-
Save analitic1983/2c0efa3b70694721a61782c7e820a20f to your computer and use it in GitHub Desktop.
Testing for
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
namespace common\components; | |
/** | |
* Active Record extended functions | |
* All base/models are extended from this class | |
* | |
*/ | |
class BaseAR extends \yii\db\ActiveRecord | |
{ | |
public static $enableLog = false; | |
use XssArTestTrait; | |
// ...... | |
/** | |
* @throws \yii\base\InvalidConfigException | |
*/ | |
public function afterFind() | |
{ | |
parent::afterFind(); // TODO: Change the autogenerated stub | |
$this->fixXssAttributes(); | |
} | |
// ...... | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* Created by PhpStorm. | |
* User: analitic | |
* Date: 25.10.18 | |
* Time: 13:46 | |
*/ | |
namespace common\components; | |
/** | |
* Trait XssArTestTrait | |
* | |
* @package common\components | |
* @mixin BaseAR | |
*/ | |
trait XssArTestTrait | |
{ | |
protected function getXssTestText() | |
{ | |
return '<script>alert(document.cookie);</script>'; | |
} | |
protected function fixXssSkiplist() | |
{ | |
return ['user' => ['password', 'login'], 'system_setting' => ['json', 'value'], 'file' => ['path', 'stored_name']]; | |
} | |
/** | |
* @param $attributeName | |
* @param $attributeValue | |
* @return string | |
* @throws \yii\base\InvalidConfigException | |
*/ | |
protected function fixXssAttribute($attributeName, $attributeValue) | |
{ | |
$metaColumn = self::getTableSchema()->getColumn($attributeName); | |
if ($metaColumn) { | |
if ($metaColumn->phpType === 'string' && $metaColumn->size > 50) { | |
// Get only text values, that can contain xss | |
$attributeValue .= $this->getXssTestText(); | |
}; | |
} | |
return $attributeValue; | |
} | |
/** | |
* Fix xss attributes | |
* | |
* @throws \yii\base\InvalidConfigException | |
*/ | |
protected function fixXssAttributes(): void | |
{ | |
$skipList = $this->fixXssSkiplist(); | |
$skipAttributes = $skipList[$this->tableName()] ?? []; | |
foreach ($this->attributes as $attributeName => $attributeValue) { | |
if (\in_array($attributeName, $skipAttributes, true)) { | |
continue; | |
} | |
$newAttributeValue = $this->fixXssAttribute($attributeName, $attributeValue); | |
if ($attributeValue !== $newAttributeValue) { | |
$this->setAttribute($attributeName, $newAttributeValue); | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment