Verzeichnisstruktur phpBB-3.3.15
- Veröffentlicht
- 28.08.2024
So funktioniert es
|
Auf das letzte Element klicken. Dies geht jeweils ein Schritt zurück |
Auf das Icon klicken, dies öffnet das Verzeichnis. Nochmal klicken schließt das Verzeichnis. |
|
(Beispiel Datei-Icons)
|
Auf das Icon klicken um den Quellcode anzuzeigen |
ContextSafeness.php
01 <?php
02
03 /**
04 * @package s9e\TextFormatter
05 * @copyright Copyright (c) 2010-2022 The s9e authors
06 * @license http://www.opensource.org/licenses/mit-license.php The MIT License
07 */
08 namespace s9e\TextFormatter\Configurator\Helpers;
09
10 abstract class ContextSafeness
11 {
12 /**
13 * Get the list of UTF-8 characters that are disallowed as a URL
14 *
15 * ":" is disallowed to prevent the URL to have a scheme.
16 *
17 * @return string[]
18 */
19 public static function getDisallowedCharactersAsURL()
20 {
21 return [':'];
22 }
23
24 /**
25 * Get the list of UTF-8 characters that are disallowed in CSS
26 *
27 * - "(" and ")" are disallowed to prevent executing CSS functions or proprietary extensions that
28 * may execute JavaScript.
29 * - ":" is disallowed to prevent setting extra CSS properties as well as possibly misusing the
30 * url() function with javascript: URIs.
31 * - "\", '"' and "'" are disallowed to prevent breaking out of or interfering with strings.
32 * - ";", "{" and "}" to prevent breaking out of a declaration
33 *
34 * @return string[]
35 */
36 public static function getDisallowedCharactersInCSS()
37 {
38 return ['(', ')', ':', '\\', '"', "'", ';', '{', '}'];
39 }
40
41 /**
42 * Get the list of UTF-8 characters that are disallowed in JS
43 *
44 * Allowing *any* input inside of a JavaScript context is a risky proposition. The use cases are
45 * also pretty rare. This list of disallowed characters attempts to block any character that is
46 * potentially unsafe either inside or outside of a string.
47 *
48 * - "(" and ")" are disallowed to prevent executing functions.
49 * - '"', "'", "\" and "`" are disallowed to prevent breaking out of or interfering with strings.
50 * - "\r", "\n", U+2028 and U+2029 are disallowed inside of JavaScript strings.
51 * - ":" and "%" are disallowed to prevent potential exploits that set document.location to a
52 * javascript: URI.
53 * - "=" is disallowed to prevent overwriting existing vars (or constructors, such as Array's) if
54 * the input is used outside of a string
55 *
56 * @return string[]
57 */
58 public static function getDisallowedCharactersInJS()
59 {
60 return ['(', ')', '"', "'", '\\', '`', "\r", "\n", "\xE2\x80\xA8", "\xE2\x80\xA9", ':', '%', '='];
61 }
62 }