-
Notifications
You must be signed in to change notification settings - Fork 23
/
output-security.php
131 lines (123 loc) · 2.8 KB
/
output-security.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
<?php
/**
* Logic to secure output generated by vip-go-ci.
*
* @package Automattic/vip-go-ci
*/
declare(strict_types=1);
/**
* Sanitize string to ensure it contains
* only characters found in version numbers.
*
* @param string $version_number Version number to sanitize.
*
* @return string Sanitized version number.
*/
function vipgoci_output_sanitize_version_number(
string $version_number
) :string {
return preg_replace(
'/[^a-zA-Z0-9\.\-]/',
'',
$version_number
);
}
/**
* HTML encode input string so it is safe
* to use in HTML code.
*
* @param string $text_string String to escape.
*
* @return string HTML escaped text string.
*/
function vipgoci_output_html_escape(
string $text_string
) :string {
return filter_var(
$text_string,
FILTER_SANITIZE_FULL_SPECIAL_CHARS
);
}
/**
* HTML encode characters '"<>& and ASCII
* values less than 32, encode/strip other
* special values.
*
* @param string $url URL to sanitize.
*
* @return string Sanitized URL.
*/
function vipgoci_output_sanitize_url(
string $url
) :string {
return filter_var(
$url,
FILTER_SANITIZE_URL
);
}
/**
* Escape Markdown syntax characters so that they
* should be interpreted as literals. The function
* allows exceptions to be specified so that these
* are not escaped (use with caution).
*
* Callers can specify their own escape array. This is
* only intended when a very narrow portion of the
* Markdown syntax characters should be escaped.
*
* The function will attempt to encode HTML characters
* and/or remove any special characters, via the use of
* filter function.
*
* @param string $text_string Text string to escape.
* @param array $skip_chars Characters not to escape.
* @param array $replace_array Custom escaping array.
*
* @return string Escaped string.
*/
function vipgoci_output_markdown_escape(
string $text_string,
?array $skip_chars = array(),
?array $replace_array = array()
) :string {
// Call filter function to sanitize special HTML characters.
$text_string = filter_var(
$text_string,
FILTER_SANITIZE_SPECIAL_CHARS
);
// If custom replace array is not specified, use the default one.
if ( empty( $replace_array ) ) {
$replace_array = array(
'\\' => '\\\\',
'-' => '\-',
'#' => '\#',
'*' => '\*',
'+' => '\+',
'`' => '\`',
'.' => '\.',
'[' => '\[',
']' => '\]',
'(' => '\(',
')' => '\)',
'!' => '\!',
'&' => '\&',
'<' => '\<',
'>' => '\>',
'_' => '\_',
'{' => '\{',
'}' => '\}',
);
}
// Any characters not to escape?
foreach ( $skip_chars as $skip_char ) {
if ( isset( $replace_array[ $skip_char ] ) ) {
unset( $replace_array[ $skip_char ] );
}
}
// Do the escaping and return.
return str_replace(
array_keys( $replace_array ),
array_values( $replace_array ),
$text_string
);
}