[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4  * @package   s9e\TextFormatter
   5  * @copyright Copyright (c) 2010-2022 The s9e authors
   6  * @license   http://www.opensource.org/licenses/mit-license.php The MIT License
   7  */
   8  namespace s9e\TextFormatter\Configurator\Helpers;
   9  
  10  abstract class ContextSafeness
  11  {
  12      /**
  13      * Get the list of UTF-8 characters that are disallowed as a URL
  14      *
  15      * ":" is disallowed to prevent the URL to have a scheme.
  16      *
  17      * @return string[]
  18      */
  19  	public static function getDisallowedCharactersAsURL()
  20      {
  21          return [':'];
  22      }
  23  
  24      /**
  25      * Get the list of UTF-8 characters that are disallowed in CSS
  26      *
  27      * - "(" and ")" are disallowed to prevent executing CSS functions or proprietary extensions that
  28      *   may execute JavaScript.
  29      * - ":" is disallowed to prevent setting extra CSS properties as well as possibly misusing the
  30      *   url() function with javascript: URIs.
  31      * - "\", '"' and "'" are disallowed to prevent breaking out of or interfering with strings.
  32      * - ";", "{" and "}" to prevent breaking out of a declaration
  33      *
  34      * @return string[]
  35      */
  36  	public static function getDisallowedCharactersInCSS()
  37      {
  38          return ['(', ')', ':', '\\', '"', "'", ';', '{', '}'];
  39      }
  40  
  41      /**
  42      * Get the list of UTF-8 characters that are disallowed in JS
  43      *
  44      * Allowing *any* input inside of a JavaScript context is a risky proposition. The use cases are
  45      * also pretty rare. This list of disallowed characters attempts to block any character that is
  46      * potentially unsafe either inside or outside of a string.
  47      *
  48      * - "(" and ")" are disallowed to prevent executing functions.
  49      * - '"',  "'", "\" and "`" are disallowed to prevent breaking out of or interfering with strings.
  50      * - "\r", "\n", U+2028 and U+2029 are disallowed inside of JavaScript strings.
  51      * - ":" and "%" are disallowed to prevent potential exploits that set document.location to a
  52      *   javascript: URI.
  53      * - "=" is disallowed to prevent overwriting existing vars (or constructors, such as Array's) if
  54      *   the input is used outside of a string
  55      *
  56      * @return string[]
  57      */
  58  	public static function getDisallowedCharactersInJS()
  59      {
  60          return ['(', ')', '"', "'", '\\', '`', "\r", "\n", "\xE2\x80\xA8", "\xE2\x80\xA9", ':', '%', '='];
  61      }
  62  }