From 1d633457c4482ab96bf936e9951ded2d5ebc8c74 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Sat, 29 Aug 2009 11:31:00 -0700
Subject: Have url::site() and other methods return a SafeString, just as t()
 and t2().

Benefits:
 - url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter.
 - url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter.
---
 modules/gallery/tests/Xss_Security_Test.php | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

(limited to 'modules/gallery/tests')

diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 1d52237c..e0e5bb86 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -126,7 +126,23 @@ class Xss_Security_Test extends Unit_Test_Case {
 	      $token_number++;
 	      $token = $tokens[$token_number];
 	    }
-	  }
+	  } else if ($token[1] == "url") {
+	    // url methods return a SafeString
+	    if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+		self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+		in_array($tokens[$token_number + 2][1],
+			 array("site", "current", "base", "file", "abs_site", "abs_current",
+			       "abs_file", "merge")) &&
+		self::_token_matches("(", $tokens, $token_number + 3)) {
+	      $frame->is_safestring(true);
+
+	      $method = $tokens[$token_number + 2][1];
+	      $frame->expr_append("::$method(");
+
+	      $token_number += 3;
+	      $token = $tokens[$token_number];
+	    }
+	  } 
 	} else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
 	  $frame->expr_append($token[1]);
 
@@ -155,8 +171,9 @@ class Xss_Security_Test extends Unit_Test_Case {
       }
     }
 
-    // Generate the report.
     /*
+     * Generate the report
+     *
      * States for uses of < ? = X ? >:
      * JS_XSS:
      *   In <script> block
@@ -166,7 +183,7 @@ class Xss_Security_Test extends Unit_Test_Case {
      *     X can be anything without a call to ->for_html() or ->purified_html()
      * CLEAN:
      *   Outside <script> block:
-     *     X = t() or t2()
+     *     X = is SafeString (t(), t2(), url::site())
      *     X = * and for_html() or purified_html() is called
      *   Inside <script> block:
      *     X = * with ->for_js() or json_encode(...)
@@ -192,7 +209,6 @@ class Xss_Security_Test extends Unit_Test_Case {
       }
     }
     fclose($fd);
-    exit;
 
     // Compare with the expected report from our golden file.
     $canonical = MODPATH . "gallery/tests/xss_data.txt";
-- 
cgit v1.2.3