Conversation
* `strftime()` has been replaced with a polyfill based on `DateTime`. * Explicit type casts/assertions added where required by PHP 8.1 * `filter_var(…, FILTER_SANITIZE_STRING)` replaced with `strip_tags()` or HTML entity encoding of quotation marks, depending on a guess of what the intended "sanitization" was * `http_build_query()` usage type mismatches fixed * Removed usages of the `FILE_TEXT` constant * To avoid breaking PHP 5.6 compatibility (function return types), `e_session_db` no longer implements `SessionHandlerInterface`. Instead, the alternative non-OOP invocation of `session_set_save_handler()` is used instead to apply the session handler. * The shim for `strptime()` still calls the native function if available but now suppresses the deprecation warning. * `e_db_pdo` explicitly asks for `PDO::ATTR_STRINGIFY_FETCHES` to maintain consistent behavior with past versions of PHP. * `e_db_mysql` explicitly sets `mysqli_report(MYSQLI_REPORT_OFF)` to maintain consistent behavior with past versions of PHP. * Removed pointless random number generator seed from `banner` plugin * Workaround for `COUNT(*)` SQL query in `validatorClass::dbValidateArray()` without a proper API for avoiding SQL injection
Deltik
force-pushed
the
php-8.1
branch
3 times, most recently
from
4dab7d2 to
2088292
Compare
|
Code Climate has analyzed commit 2088292 and detected 6 issues on this pull request. Here's the issue category breakdown:
The test coverage on the diff in this pull request is 86.8% (80% is the threshold). This pull request will bring the total coverage in the repository to 34.2% (0.6% change). View more on Code Climate. |
| $pid = intval(varset($_POST['pid'], 0)); // ID of the specific comment being edited (nested comments - replies) | ||
| $row = array(); | ||
| $authName = filter_var($_POST['author_name'],FILTER_SANITIZE_STRING); | ||
| $authName = e107::getParser()->filter($_POST['author_name'], 'str'); |
There was a problem hiding this comment.
@Deltik Maybe I missed something, doesn't this do exactly the same as the code you replaced?
public function filter($text, $type = 'str', $validate = false)
...
if($validate === false)
{
$filterTypes = array(
'int' => FILTER_SANITIZE_NUMBER_INT,
'str' => FILTER_SANITIZE_STRING, // no html.
'email' => FILTER_SANITIZE_EMAIL,
'url' => FILTER_SANITIZE_URL,
'enc' => FILTER_SANITIZE_ENCODED
);
}
```
There was a problem hiding this comment.
e_parse::filter() has been reworked not to use filter_var(…, FILTER_SANITIZE_STRING). (Source)
According to the documentation of the deprecation of FILTER_SANITIZE_STRING, the usage of the filter is unclear. I looked at e107's usages of that filter and found that some of them expected strip_tags() behavior while others thought that the filter would make the provided string safe to quote in an SQL query. As there is no way for a filter to concatenate arbitrary strings safely for SQL queries, I decided to make e_parse::filter(…, 'str', false) just mean strip_tags().
I replaced the confounded usages of filter_var(…, FILTER_SANITIZE_STRING) with guesses for what the usages' intentions were:
|
Thank you!! Looks good, please see comment about filter(). |
|
@Deltik This commit introduced a bug into the form handler. git.exe bisect good Specifically it renders the following invalid HTML in the batch options and elsewhere. I previously committed a fix for the pop-up confirmation on the admin area cache delete button, which had a similar issue. ( 632f335) It appears the parsing of the |
2 participants
Motivation and Context
PHP 8.1 about to be released, but e107 is not compatible with various deprecations and behavior changes.
Description
This pull request fixes all PHP 8.1 errors caught by the existing tests. Specifically:
Deprecations
strftime()has been replaced with a polyfill based onDateTime.filter_var(…, FILTER_SANITIZE_STRING)replaced withstrip_tags()or HTML entity encoding of quotation marks, depending on a guess of
what the intended "sanitization" was
http_build_query()usage type mismatches fixedFILE_TEXTconstante_session_dbno longer implementsSessionHandlerInterface.Instead, the alternative non-OOP invocation of
session_set_save_handler()is used instead to apply the sessionhandler.
strptime()still calls the native function if availablebut now suppresses the deprecation warning.
Behavior Changes
e_db_pdoexplicitly asks forPDO::ATTR_STRINGIFY_FETCHEStomaintain consistent behavior with past versions of PHP.
e_db_mysqlexplicitly setsmysqli_report(MYSQLI_REPORT_OFF)tomaintain consistent behavior with past versions of PHP.
Other
bannerpluginCOUNT(*)SQL query invalidatorClass::dbValidateArray()without a proper API for avoidingSQL injection
How Has This Been Tested?
The changes make the existing tests pass on all PHP major versions since version 5.6.
Types of Changes
Checklist