16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
50 lines
1.2 KiB
Plaintext
50 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
function evaluate_xpath($doc, $xpathstring, $xmlstring)
|
|
{
|
|
$xpath = new DOMXpath($doc);
|
|
$xpath->query($xpathstring); // Sensitive
|
|
$xpath->evaluate($xpathstring); // Sensitive
|
|
|
|
// There is no risk if the xpath is hardcoded
|
|
$xpath->query("/users/user[@name='alice']"); // Ok
|
|
$xpath->evaluate("/users/user[@name='alice']"); // Ok
|
|
|
|
// An issue will also be created if the SimpleXMLElement is created
|
|
// by simplexml_load_file, simplexml_load_string or simplexml_import_dom
|
|
$xml = new SimpleXMLElement($doc);
|
|
$xml->xpath($xpathstring); // Sensitive
|
|
|
|
// There is no risk if the xpath is hardcoded
|
|
$xml->xpath("/users/user[@name='alice']"); // Ok
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 9 May 2019, 16:00:38 Nicolas Harraudeau wrote:
|
|
This rule is deprecated for PHP because it will be handled by the taint analysis engine (RSPEC-2091).
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|