Add sanitizers for JSON output

Those functions set proper content-types that prevent rendering of
data. Therefore it's safe to mark them as sanitizers.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>

diff --git a/lib/private/legacy/OC_API.php b/lib/private/legacy/OC_API.php
index 5e4a46ab4d7468205506e10be21c08dd84b906a1..cba60826196c06c8ae7edc4df0851163a6678df5 100644 (file)
--- a/lib/private/legacy/OC_API.php
+++ b/lib/private/legacy/OC_API.php
@@ -43,6 +43,7 @@ class OC_API {
         * respond to a call
         * @param \OC\OCS\Result $result
         * @param string $format the format xml|json
+        * @psalm-taint-escape html
         */
        public static function respond($result, $format = 'xml') {
                $request = \OC::$server->getRequest();

diff --git a/lib/private/legacy/OC_JSON.php b/lib/private/legacy/OC_JSON.php
index a0b9868a023fcd12d575e262ddcd6dcf8724f81a..1597955135e195efbaaee20064c10a1f8dd7cf75 100644 (file)
--- a/lib/private/legacy/OC_JSON.php
+++ b/lib/private/legacy/OC_JSON.php
@@ -99,6 +99,7 @@ class OC_JSON {
         * Send json error msg
         * @deprecated Use a AppFramework JSONResponse instead
         * @suppress PhanDeprecatedFunction
+        * @psalm-taint-escape html
         */
        public static function error($data = []) {
                $data['status'] = 'error';
@@ -110,6 +111,7 @@ class OC_JSON {
         * Send json success msg
         * @deprecated Use a AppFramework JSONResponse instead
         * @suppress PhanDeprecatedFunction
+        * @psalm-taint-escape html
         */
        public static function success($data = []) {
                $data['status'] = 'success';