Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add taint annotations for ParserOutput

Browse source 
Change-Id: Id73b8f22f8877442f114bf7b41d0f9ea47fb4283
This commit is contained in:
Brian Wolff 2023-10-04 12:28:02 -07:00
parent cab3f6e305
commit f1af33be38
2 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
includes/parser/ParserOutput.php
View file

@ -815,6 +815,7 @@ class ParserOutput extends CacheTime implements ContentMetadataCollector {
*
* @since 1.39 You can now pass null to this function
* @param string|null $text HTML content of ParserOutput or null if not generated
* @param-taint $text exec_html
* @return string|null Previous value of ParserOutput's text
*/
public function setText( $text ) {
@ -900,6 +901,7 @@ class ParserOutput extends CacheTime implements ContentMetadataCollector {
/**
* @param string $id
* @param string $content
* @param-taint $content exec_html
* @since 1.25
*/
public function setIndicator( $id, $content ): void {

5
tests/phan/TaintCheckAnnotationsTest.php
View file

@ -819,4 +819,9 @@ class TaintCheckAnnotationsTest {
echo \Status::newGood( $_GET['a'] )->getValue();// Safe
echo \Status::newGood( $_GET['a'] )->setResult( true, $_GET['a'] );// Safe
}
function testParserOutput( ParserOutput $po ) {
$po->setIndicator( 'foo', $_GET['a'] ); //@phan-suppress-current-line SecurityCheck-XSS
$po->setText( $_GET['a'] ); //@phan-suppress-current-line SecurityCheck-XSS
}
}