diff options
| author | Côme Chilliet <come.chilliet@nextcloud.com> | 2025-02-17 11:16:27 +0100 |
|---|---|---|
| committer | Côme Chilliet <come.chilliet@nextcloud.com> | 2025-02-17 15:24:07 +0100 |
| commit | fec865cc29ee0bc54dbd29c07e8cbe3d477bfca2 (patch) | |
| tree | a2b54ebb48aa4acf74fcd50e3f28c6c661dfea91 | |
| parent | 579a337750c85bab1f1e6d798c10cbb012f3f819 (diff) | |
| download | nextcloud-server-fec865cc29ee0bc54dbd29c07e8cbe3d477bfca2.tar.gz nextcloud-server-fec865cc29ee0bc54dbd29c07e8cbe3d477bfca2.zip | |
chore: Correctly flag json encoding methods as escaping html and quotes
Especially with JSON_HEX_TAG it’s perfectly fine to echo JSON, and we
only use it in JSON output anyway.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
| -rw-r--r-- | build/psalm-baseline-security.xml | 8 | ||||
| -rw-r--r-- | lib/private/legacy/OC_JSON.php | 5 | ||||
| -rw-r--r-- | lib/public/AppFramework/Http/JSONResponse.php | 3 |
3 files changed, 6 insertions, 10 deletions
diff --git a/build/psalm-baseline-security.xml b/build/psalm-baseline-security.xml index 8740e96d78b..f15718796c2 100644 --- a/build/psalm-baseline-security.xml +++ b/build/psalm-baseline-security.xml @@ -104,12 +104,4 @@ <code><![CDATA[$sql]]></code> </TaintedSql> </file> - <file src="ocs-provider/index.php"> - <TaintedHtml> - <code><![CDATA[$controller->buildProviderList()->render()]]></code> - </TaintedHtml> - <TaintedTextWithQuotes> - <code><![CDATA[$controller->buildProviderList()->render()]]></code> - </TaintedTextWithQuotes> - </file> </files> diff --git a/lib/private/legacy/OC_JSON.php b/lib/private/legacy/OC_JSON.php index d2b85951123..6daef18dd61 100644 --- a/lib/private/legacy/OC_JSON.php +++ b/lib/private/legacy/OC_JSON.php @@ -74,7 +74,6 @@ class OC_JSON { * Send json error msg * @deprecated 12.0.0 Use a AppFramework JSONResponse instead * @suppress PhanDeprecatedFunction - * @psalm-taint-escape html */ public static function error($data = []) { $data['status'] = 'error'; @@ -86,7 +85,6 @@ class OC_JSON { * Send json success msg * @deprecated 12.0.0 Use a AppFramework JSONResponse instead * @suppress PhanDeprecatedFunction - * @psalm-taint-escape html */ public static function success($data = []) { $data['status'] = 'success'; @@ -97,6 +95,9 @@ class OC_JSON { /** * Encode JSON * @deprecated 12.0.0 Use a AppFramework JSONResponse instead + * + * @psalm-taint-escape has_quotes + * @psalm-taint-escape html */ private static function encode($data) { return json_encode($data, JSON_HEX_TAG); diff --git a/lib/public/AppFramework/Http/JSONResponse.php b/lib/public/AppFramework/Http/JSONResponse.php index efcf79d5e87..a226e29a1b5 100644 --- a/lib/public/AppFramework/Http/JSONResponse.php +++ b/lib/public/AppFramework/Http/JSONResponse.php @@ -58,6 +58,9 @@ class JSONResponse extends Response { * @return string the rendered json * @since 6.0.0 * @throws \Exception If data could not get encoded + * + * @psalm-taint-escape has_quotes + * @psalm-taint-escape html */ public function render() { return json_encode($this->data, JSON_HEX_TAG | JSON_THROW_ON_ERROR | $this->encodeFlags, 2048); |