33 lines
582 B
Plaintext
33 lines
582 B
Plaintext
== How to fix it in Core PHP
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,php,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
$url=$_GET['url'];
|
|
|
|
header("Location: " . $url); // Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,php,diff-id=1,diff-type=compliant]
|
|
----
|
|
$url=$_GET['url'];
|
|
|
|
$allowedUrls = ['https://example.com/'];
|
|
|
|
if(in_array($url, $allowedUrls, true)){
|
|
header("Location: " . $url);
|
|
}
|
|
----
|
|
|
|
include::../../common/fix/how-does-this-work.adoc[]
|
|
|
|
=== Pitfalls
|
|
|
|
include::../../common/pitfalls/starts-with.adoc[] |