├── .codacy.yml ├── .gitattributes ├── .github ├── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md └── workflows │ ├── automatic-releases.yml │ ├── dependency-review.yml │ └── snyk-infrastructure.yml ├── .gitignore ├── .htaccess ├── .security-scan ├── .version ├── LICENSE ├── Modules ├── .htaccess ├── Database_example.env └── functions.php ├── Public ├── assets │ ├── css │ │ ├── error.css │ │ └── style.css │ ├── img │ │ ├── favicon-1000x1000.png │ │ ├── favicon-100x100.png │ │ ├── favicon-255x255.png │ │ ├── favicon-500x500.png │ │ └── favicon-50x50.png │ └── js │ │ ├── autoConfigurationChecks.js │ │ ├── buttonCopyURL.js │ │ ├── formContentUpdate.js │ │ └── globalFunctions.js ├── dataProcessing.php ├── error_docs │ ├── 403.php │ ├── 404.php │ ├── 500.php │ ├── DatabaseConfig.php │ ├── DatabaseCredentials.php │ └── ServerConfiguration.php ├── index.php └── view.php ├── README.md ├── SECURITY.md ├── actions.yml ├── favicon.ico └── index.php /.codacy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | engines: 3 | rubocop: 4 | exclude_paths: 5 | - config/engines.yml 6 | duplication: 7 | exclude_paths: 8 | - config/engines.yml 9 | metric: 10 | exclude_paths: 11 | - config/engines.yml 12 | languages: 13 | css: 14 | extensions: 15 | - '.scss' 16 | exclude_paths: 17 | - "Public/assets/css/**" -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.env linguist-language=ENV 2 | ./* linguist-documentation -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: Bug/Issue Report 5 | labels: bug, security, enhancement 6 | assignees: axtonprice 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. Do not submit bug report if you are not using the latest QuickBlaze version! 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Desktop (please complete the following information):** 27 | - OS: [e.g. iOS] 28 | - Browser [e.g. chrome, safari] 29 | - Version [e.g. 22] 30 | 31 | **Smartphone (please complete the following information):** 32 | - Device: [e.g. iPhone6] 33 | - OS: [e.g. iOS8.1] 34 | - Browser [e.g. stock browser, safari] 35 | - Version [e.g. 22] 36 | 37 | **Additional context** 38 | Add any other context about the problem here. 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: Feature Request 5 | labels: enhancement, feature-request 6 | assignees: axtonprice 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /.github/workflows/automatic-releases.yml: -------------------------------------------------------------------------------- 1 | name: 'Release' 2 | 3 | on: 4 | push: 5 | branches: 6 | - "main" 7 | workflow_dispatch: 8 | inputs: 9 | semver: 10 | description: 'Which version you want to increment? Use MAJOR, MINOR or PATCH' 11 | required: true 12 | default: 'PATCH' 13 | label: 14 | description: 'Add Labels. i.e final, alpha, rc' 15 | required: true 16 | default: ' Stable' 17 | 18 | jobs: 19 | release: 20 | name: 'Release' 21 | runs-on: 'ubuntu-latest' 22 | 23 | steps: 24 | - name: 'Checkout' 25 | uses: actions/checkout@v2 26 | 27 | # ... 28 | - name: '👷‍♂️ Build' 29 | run: | 30 | echo "BUILD COMPLETE 👍" 31 | 32 | # ... 33 | - name: '🧪 TEST' 34 | run: | 35 | echo "TESTS PASSED 🎉" 36 | 37 | - uses: 'rui-costa/action-automatic-semver-releases@latest' 38 | name: "Automatic Release Update" 39 | with: 40 | TOKEN: '${{ secrets.GITHUB_TOKEN }}' 41 | SEMVER: '${{ github.event.inputs.semver }}' 42 | LABEL: '${{ github.event.inputs.label }}' 43 | NOTES: '${{ steps.gen-notes.outputs.notes }}' 44 | -------------------------------------------------------------------------------- /.github/workflows/dependency-review.yml: -------------------------------------------------------------------------------- 1 | # Dependency Review Action 2 | # 3 | # This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. 4 | # 5 | # Source repository: https://github.com/actions/dependency-review-action 6 | # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement 7 | name: 'Dependency Review' 8 | on: [pull_request] 9 | 10 | permissions: 11 | contents: read 12 | 13 | jobs: 14 | dependency-review: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - name: 'Checkout Repository' 18 | uses: actions/checkout@v3 19 | - name: 'Dependency Review' 20 | uses: actions/dependency-review-action@v1 21 | -------------------------------------------------------------------------------- /.github/workflows/snyk-infrastructure.yml: -------------------------------------------------------------------------------- 1 | # This workflow uses actions that are not certified by GitHub. 2 | # They are provided by a third-party and are governed by 3 | # separate terms of service, privacy policy, and support 4 | # documentation. 5 | 6 | # A sample workflow which checks out your Infrastructure as Code Configuration files, 7 | # such as Kubernetes, Helm & Terraform and scans them for any security issues. 8 | # The results are then uploaded to GitHub Security Code Scanning 9 | # 10 | # For more examples, including how to limit scans to only high-severity issues 11 | # and fail PR checks, see https://github.com/snyk/actions/ 12 | 13 | name: Snyk Infrastructure as Code 14 | 15 | on: 16 | push: 17 | branches: [ main ] 18 | pull_request: 19 | # The branches below must be a subset of the branches above 20 | branches: [ main ] 21 | schedule: 22 | - cron: '35 8 * * 1' 23 | 24 | permissions: 25 | contents: read 26 | 27 | jobs: 28 | snyk: 29 | permissions: 30 | contents: read # for actions/checkout to fetch code 31 | security-events: write # for github/codeql-action/upload-sarif to upload SARIF results 32 | runs-on: ubuntu-latest 33 | steps: 34 | - uses: actions/checkout@v3 35 | - name: Run Snyk to check configuration files for security issues 36 | # Snyk can be used to break the build when it detects security issues. 37 | # In this case we want to upload the issues to GitHub Code Scanning 38 | continue-on-error: true 39 | uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 40 | env: 41 | # In order to use the Snyk Action you will need to have a Snyk API token. 42 | # More details in https://github.com/snyk/actions#getting-your-snyk-token 43 | # or you can signup for free at https://snyk.io/login 44 | SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} 45 | with: 46 | # Add the path to the configuration file that you would like to test. 47 | # For example `deployment.yaml` for a Kubernetes deployment manifest 48 | # or `main.tf` for a Terraform configuration file 49 | file: null 50 | - name: Upload result to GitHub Code Scanning 51 | uses: github/codeql-action/upload-sarif@v2 52 | with: 53 | sarif_file: .security-scan -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Quickblaze Files 2 | .vscode/ 3 | .stashed/ 4 | .gitattributes 5 | .dccache 6 | 7 | # QuickBlaze Security 8 | local-storage 9 | Modules/Database.env 10 | .config 11 | 12 | # QuickBlaze Composer 13 | vendor/ 14 | composer.lock 15 | 16 | # Docker (Unreleased) 17 | Dockerfile 18 | .dockerignore 19 | -------------------------------------------------------------------------------- /.htaccess: -------------------------------------------------------------------------------- 1 | # URL handling 2 | RewriteEngine on 3 | RewriteCond %{REQUEST_FILENAME} !-f 4 | RewriteCond %{REQUEST_FILENAME} !-d 5 | RewriteRule ^.* index.php [L,QSA] 6 | 7 | # Error handling 8 | ErrorDocument 404 /404 9 | ErrorDocument 403 /403 10 | ErrorDocument 500 /500 11 | 12 | # File security 13 | 14 | Order allow,deny 15 | Deny from all 16 | -------------------------------------------------------------------------------- /.security-scan: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", 3 | "version": "2.1.0", 4 | "runs": [ 5 | { 6 | "tool": { 7 | "driver": { 8 | "name": "SnykCode", 9 | "semanticVersion": "1.0.0", 10 | "version": "1.0.0", 11 | "rules": [ 12 | { 13 | "id": "php/PT", 14 | "name": "PT", 15 | "shortDescription": { 16 | "text": "Path Traversal" 17 | }, 18 | "defaultConfiguration": { 19 | "level": "error" 20 | }, 21 | "help": { 22 | "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", 23 | "text": "" 24 | }, 25 | "properties": { 26 | "tags": [ 27 | "php" 28 | ], 29 | "categories": [ 30 | "Security" 31 | ], 32 | "exampleCommitFixes": [ 33 | { 34 | "commitURL": "https://github.com/pfsense/pfsense-packages/commit/0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b?diff=split#diff-7d40bbc944bdd9d0ac99f1e375807fb3L98", 35 | "lines": [ 36 | { 37 | "line": "if (isset($_POST['upload'])) {", 38 | "lineNumber": 96, 39 | "lineChange": "none" 40 | }, 41 | { 42 | "line": " if ($_FILES[\"sidmods_fileup\"][\"error\"] == UPLOAD_ERR_OK) {", 43 | "lineNumber": 97, 44 | "lineChange": "none" 45 | }, 46 | { 47 | "line": " $tmp_name = $_FILES[\"sidmods_fileup\"][\"tmp_name\"];", 48 | "lineNumber": 98, 49 | "lineChange": "none" 50 | }, 51 | { 52 | "line": " $name = $_FILES[\"sidmods_fileup\"][\"name\"];", 53 | "lineNumber": 99, 54 | "lineChange": "removed" 55 | }, 56 | { 57 | "line": " $name = basename($_FILES[\"sidmods_fileup\"][\"name\"]);", 58 | "lineNumber": 99, 59 | "lineChange": "added" 60 | }, 61 | { 62 | "line": " move_uploaded_file($tmp_name, \"{$sidmods_path}{$name}\");", 63 | "lineNumber": 100, 64 | "lineChange": "none" 65 | }, 66 | { 67 | "line": " }", 68 | "lineNumber": 101, 69 | "lineChange": "none" 70 | }, 71 | { 72 | "line": " else", 73 | "lineNumber": 102, 74 | "lineChange": "none" 75 | } 76 | ] 77 | }, 78 | { 79 | "commitURL": "https://github.com/ExchangeWorld/ExchangeWorld/commit/606aa8b3eb707f1cd1831fb663a8f415a463aa05?diff=split#diff-041d983df8c7b46dbc24f32fb39de8feL4", 80 | "lines": [ 81 | { 82 | "line": " 'URL parameter not found'];", 329 | "lineNumber": 130, 330 | "lineChange": "none" 331 | }, 332 | { 333 | "line": "}", 334 | "lineNumber": 131, 335 | "lineChange": "none" 336 | }, 337 | { 338 | "line": "header('Access-Control-Allow-Origin: *');", 339 | "lineNumber": 132, 340 | "lineChange": "removed" 341 | }, 342 | { 343 | "line": "$urlHost = $_SERVER['HTTP_HOST'];", 344 | "lineNumber": 133, 345 | "lineChange": "added" 346 | }, 347 | { 348 | "line": "header('Access-Control-Allow-Origin: '.$urlHost);", 349 | "lineNumber": 135, 350 | "lineChange": "added" 351 | }, 352 | { 353 | "line": "header('Content-type: application/json', true);", 354 | "lineNumber": 136, 355 | "lineChange": "none" 356 | } 357 | ] 358 | }, 359 | { 360 | "commitURL": "https://github.com/wgenial/cartrolandofc/commit/3d69f64001ffe84e89404bcd4ca627d2d1e95a33?diff=split#diff-5b9b7bac226602d432ba9969f7986f37L9", 361 | "lines": [ 362 | { 363 | "line": " */", 364 | "lineNumber": 6, 365 | "lineChange": "none" 366 | }, 367 | { 368 | "line": "header(\"Access-Control-Allow-Origin: *\");", 369 | "lineNumber": 8, 370 | "lineChange": "removed" 371 | }, 372 | { 373 | "line": "header('Content-type: application/json');", 374 | "lineNumber": 9, 375 | "lineChange": "removed" 376 | }, 377 | { 378 | "line": "header('Content-type: application/json;charset=UTF-8');", 379 | "lineNumber": 8, 380 | "lineChange": "added" 381 | }, 382 | { 383 | "line": " if (isset($_GET[\"api\"]) and $_GET[\"api\"] !== \"\") {", 384 | "lineNumber": 11, 385 | "lineChange": "none" 386 | } 387 | ] 388 | } 389 | ], 390 | "exampleCommitDescriptions": [ 391 | "CORS added, DEMO constant deleted", 392 | "added handling of response headers overrides by config" 393 | ], 394 | "precision": "very-high", 395 | "repoDatasetSize": 26, 396 | "cwe": [ 397 | "CWE-942", 398 | "CWE-346" 399 | ] 400 | } 401 | }, 402 | { 403 | "id": "php/XSS", 404 | "name": "XSS", 405 | "shortDescription": { 406 | "text": "Cross-site Scripting (XSS)" 407 | }, 408 | "defaultConfiguration": { 409 | "level": "error" 410 | }, 411 | "help": { 412 | "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", 413 | "text": "" 414 | }, 415 | "properties": { 416 | "tags": [ 417 | "php" 418 | ], 419 | "categories": [ 420 | "Security" 421 | ], 422 | "exampleCommitFixes": [ 423 | { 424 | "commitURL": "https://github.com/minkphp/Mink/commit/232919c0c44a2b35d410373c12db404b709ec25c?diff=split#diff-b51e2215d4bd4e189c9360d91a412970L6", 425 | "lines": [ 426 | { 427 | "line": " setcookie(\"tc\", $_POST['cookie_value'], null, '/');", 428 | "lineNumber": 3, 429 | "lineChange": "none" 430 | }, 431 | { 432 | "line": "} elseif (isset($_GET[\"show_value\"])) {", 433 | "lineNumber": 4, 434 | "lineChange": "none" 435 | }, 436 | { 437 | "line": " echo $_COOKIE[\"tc\"];", 438 | "lineNumber": 5, 439 | "lineChange": "removed" 440 | }, 441 | { 442 | "line": " echo htmlspecialchars($_COOKIE[\"tc\"], ENT_QUOTES, 'UTF-8');", 443 | "lineNumber": 5, 444 | "lineChange": "added" 445 | }, 446 | { 447 | "line": " die();", 448 | "lineNumber": 6, 449 | "lineChange": "none" 450 | }, 451 | { 452 | "line": "}", 453 | "lineNumber": 7, 454 | "lineChange": "none" 455 | } 456 | ] 457 | }, 458 | { 459 | "commitURL": "https://github.com/yunluo/Git/commit/1cb7eddf43f770c055cd685c7f73bb3dac713789?diff=split#diff-34390932035b5d4fd059e5e9a4c629b6L69", 460 | "lines": [ 461 | { 462 | "line": " the_content(); ?>", 463 | "lineNumber": 66, 464 | "lineChange": "none" 465 | }, 466 | { 467 | "line": "
\">", 483 | "lineNumber": 69, 484 | "lineChange": "none" 485 | }, 486 | { 487 | "line": "
", 488 | "lineNumber": 70, 489 | "lineChange": "none" 490 | } 491 | ] 492 | }, 493 | { 494 | "commitURL": "https://github.com/railt/railt/commit/856e3456f6b87c94c1262a842c6df29a76cf9be1?diff=split#diff-eaa75d4030b62891c20b9f9d83a58fd2L59", 495 | "lines": [ 496 | { 497 | "line": " echo $request->get('schema');", 498 | "lineNumber": 56, 499 | "lineChange": "removed" 500 | }, 501 | { 502 | "line": " echo htmlspecialchars($request->get('schema'));", 503 | "lineNumber": 73, 504 | "lineChange": "added" 505 | }, 506 | { 507 | "line": " } else {", 508 | "lineNumber": 74, 509 | "lineChange": "none" 510 | }, 511 | { 512 | "line": " echo file_get_contents(__DIR__ . '/gql/schema.graphqls');", 513 | "lineNumber": 58, 514 | "lineChange": "removed" 515 | }, 516 | { 517 | "line": " echo htmlspecialchars(file_get_contents(__DIR__ . '/gql/schema.graphqls'));", 518 | "lineNumber": 75, 519 | "lineChange": "added" 520 | }, 521 | { 522 | "line": " }", 523 | "lineNumber": 76, 524 | "lineChange": "none" 525 | }, 526 | { 527 | "line": "?>
", 528 | "lineNumber": 77, 529 | "lineChange": "none" 530 | } 531 | ] 532 | } 533 | ], 534 | "exampleCommitDescriptions": [ 535 | "Uploaded files now appear on profile pages", 536 | "Add files via upload", 537 | "remove file name from output to avoid XSS" 538 | ], 539 | "precision": "very-high", 540 | "repoDatasetSize": 526, 541 | "cwe": [ 542 | "CWE-79" 543 | ] 544 | } 545 | }, 546 | { 547 | "id": "javascript/DOMXSS", 548 | "name": "DOMXSS", 549 | "shortDescription": { 550 | "text": "Cross-site Scripting (XSS)" 551 | }, 552 | "defaultConfiguration": { 553 | "level": "error" 554 | }, 555 | "help": { 556 | "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", 557 | "text": "" 558 | }, 559 | "properties": { 560 | "tags": [ 561 | "javascript" 562 | ], 563 | "categories": [ 564 | "Security" 565 | ], 566 | "exampleCommitFixes": [ 567 | { 568 | "commitURL": "https://github.com/decred/dcrdata/commit/1996f027d9c1b64fafdc22baa26b58d27f374638?diff=split#diff-6d548c58846af1c8dadd7f36d75f2795L319", 569 | "lines": [ 570 | { 571 | "line": "var ctrl = this", 572 | "lineNumber": 316, 573 | "lineChange": "none" 574 | }, 575 | { 576 | "line": "ctrl.listboxTarget.classList.add('loading')", 577 | "lineNumber": 317, 578 | "lineChange": "none" 579 | }, 580 | { 581 | "line": "let tableResponse = await axios.get(ctrl.makeTableUrl(txType, count, offset))", 582 | "lineNumber": 318, 583 | "lineChange": "none" 584 | }, 585 | { 586 | "line": "let html = tableResponse.data", 587 | "lineNumber": 319, 588 | "lineChange": "none" 589 | }, 590 | { 591 | "line": "ctrl.tableTarget.innerHTML = html", 592 | "lineNumber": 320, 593 | "lineChange": "removed" 594 | }, 595 | { 596 | "line": "ctrl.tableTarget.innerHTML = dompurify.sanitize(html)", 597 | "lineNumber": 301, 598 | "lineChange": "added" 599 | }, 600 | { 601 | "line": "var settings = ctrl.listSettings", 602 | "lineNumber": 321, 603 | "lineChange": "none" 604 | }, 605 | { 606 | "line": "settings.n = count", 607 | "lineNumber": 322, 608 | "lineChange": "none" 609 | } 610 | ] 611 | }, 612 | { 613 | "commitURL": "https://github.com/shokai/sinatra-template/commit/d4b6b31eea77cd39d387f515ced18f73b508854f?diff=split#diff-f485b1889bd3c96211c9236b0cf5daecL2", 614 | "lines": [ 615 | { 616 | "line": "};", 617 | "lineNumber": 7, 618 | "lineChange": "added" 619 | }, 620 | { 621 | "line": "$(function(){", 622 | "lineNumber": 9, 623 | "lineChange": "none" 624 | }, 625 | { 626 | "line": " $('input#start_btn').click(omikuji_start);", 627 | "lineNumber": 10, 628 | "lineChange": "none" 629 | }, 630 | { 631 | "line": "});", 632 | "lineNumber": 11, 633 | "lineChange": "none" 634 | }, 635 | { 636 | "line": "var omikuji_start = function(){", 637 | "lineNumber": 13, 638 | "lineChange": "none" 639 | }, 640 | { 641 | "line": " $.getJSON(omikuji_api, function(res){", 642 | "lineNumber": 14, 643 | "lineChange": "none" 644 | }, 645 | { 646 | "line": " console.log(res);", 647 | "lineNumber": 15, 648 | "lineChange": "none" 649 | }, 650 | { 651 | "line": " var li = $('
  • ').append(res.result + ' - ' + res.time);", 652 | "lineNumber": 8, 653 | "lineChange": "removed" 654 | }, 655 | { 656 | "line": " var li = $('
  • ').append(res.result.htmlEscape() + ' - ' + res.time.htmlEscape());", 657 | "lineNumber": 16, 658 | "lineChange": "added" 659 | }, 660 | { 661 | "line": " $('ul#results').prepend(li);", 662 | "lineNumber": 17, 663 | "lineChange": "none" 664 | }, 665 | { 666 | "line": " });", 667 | "lineNumber": 18, 668 | "lineChange": "none" 669 | } 670 | ] 671 | }, 672 | { 673 | "commitURL": "https://github.com/ether/etherpad-lite/commit/83ce73b77b5061de2c1c24219b7bdc3ea499f7af?diff=split#diff-5800366247a45833e8dbfce86ea4d046L59", 674 | "lines": [ 675 | { 676 | "line": "//Check if we accessed the pad over https", 677 | "lineNumber": 57, 678 | "lineChange": "none" 679 | }, 680 | { 681 | "line": "var secure = window.location.protocol == \"https:\" ? \";secure\" : \"\";", 682 | "lineNumber": 58, 683 | "lineChange": "none" 684 | }, 685 | { 686 | "line": "//Check if the browser is IE and if so make sure the full path is set in the cookie", 687 | "lineNumber": 60, 688 | "lineChange": "none" 689 | }, 690 | { 691 | "line": " $(\"#editorloadingbox\").css(\"padding\", \"10px\");", 692 | "lineNumber": 524, 693 | "lineChange": "none" 694 | }, 695 | { 696 | "line": " $(\"#editorloadingbox\").css(\"padding-top\", \"45px\");", 697 | "lineNumber": 525, 698 | "lineChange": "none" 699 | }, 700 | { 701 | "line": " $(\"#editorloadingbox\").html(\"
    An error occurred
    The error was reported with the following id: '\" + errorId + \"'

    URL: \" + window.location.href + \"
    UserAgent: \" + userAgent + \"
    \" + msg + \" in \" + url + \" at line \" + linenumber + \"'
    \");", 707 | "lineNumber": 527, 708 | "lineChange": "removed" 709 | }, 710 | { 711 | "line": " + \"ErrorId: \" + errorId + \"
    URL: \" + padutils.escapeHtml(window.location.href) + \"
    UserAgent: \" + userAgent + \"
    \" + msg + \" in \" + url + \" at line \" + linenumber + \"'\");", 712 | "lineNumber": 527, 713 | "lineChange": "added" 714 | }, 715 | { 716 | "line": "}", 717 | "lineNumber": 528, 718 | "lineChange": "none" 719 | } 720 | ] 721 | } 722 | ], 723 | "exampleCommitDescriptions": [ 724 | "Add unit test.", 725 | "e3db0cd CHANGES.md\n84d1acf Add tests.", 726 | "Update and clean up the tests by using the iframe's load event." 727 | ], 728 | "precision": "very-high", 729 | "repoDatasetSize": 1482, 730 | "cwe": [ 731 | "CWE-79" 732 | ] 733 | } 734 | } 735 | ] 736 | } 737 | }, 738 | "results": [ 739 | { 740 | "ruleId": "php/PT", 741 | "ruleIndex": 0, 742 | "level": "error", 743 | "message": { 744 | "text": "Unsanitized input from an HTTP header flows into file_get_contents, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", 745 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", 746 | "arguments": [ 747 | "[an HTTP header](0)", 748 | "[flows](1),(2),(3),(4),(5),(6),(7)", 749 | "[file_get_contents](8)" 750 | ] 751 | }, 752 | "locations": [ 753 | { 754 | "physicalLocation": { 755 | "artifactLocation": { 756 | "uri": "Modules/functions.php", 757 | "uriBaseId": "%SRCROOT%" 758 | }, 759 | "region": { 760 | "startLine": 309, 761 | "endLine": 309, 762 | "startColumn": 12, 763 | "endColumn": 274 764 | } 765 | } 766 | } 767 | ], 768 | "fingerprints": { 769 | "0": "74e0b3c5c5f55e198afe2b2f3265e677cfaaea0c3060460435b4e62578969335", 770 | "1": "80f1517a.464a7316.c3dea7ce.f18a7ecf.20a8e692.39e0148c.480b110d.be170d97.43f154ae.abf264c1.2173882d.abd479c7.20a8e692.c1b6b7bc.b2a0b7cd.58bf5da9" 771 | }, 772 | "codeFlows": [ 773 | { 774 | "threadFlows": [ 775 | { 776 | "locations": [ 777 | { 778 | "location": { 779 | "id": 0, 780 | "physicalLocation": { 781 | "artifactLocation": { 782 | "uri": "Modules/functions.php", 783 | "uriBaseId": "%SRCROOT%" 784 | }, 785 | "region": { 786 | "startLine": 303, 787 | "endLine": 303, 788 | "startColumn": 22, 789 | "endColumn": 53 790 | } 791 | } 792 | } 793 | }, 794 | { 795 | "location": { 796 | "id": 1, 797 | "physicalLocation": { 798 | "artifactLocation": { 799 | "uri": "Modules/functions.php", 800 | "uriBaseId": "%SRCROOT%" 801 | }, 802 | "region": { 803 | "startLine": 303, 804 | "endLine": 303, 805 | "startColumn": 22, 806 | "endColumn": 53 807 | } 808 | } 809 | } 810 | }, 811 | { 812 | "location": { 813 | "id": 2, 814 | "physicalLocation": { 815 | "artifactLocation": { 816 | "uri": "Modules/functions.php", 817 | "uriBaseId": "%SRCROOT%" 818 | }, 819 | "region": { 820 | "startLine": 303, 821 | "endLine": 303, 822 | "startColumn": 15, 823 | "endColumn": 60 824 | } 825 | } 826 | } 827 | }, 828 | { 829 | "location": { 830 | "id": 3, 831 | "physicalLocation": { 832 | "artifactLocation": { 833 | "uri": "Modules/functions.php", 834 | "uriBaseId": "%SRCROOT%" 835 | }, 836 | "region": { 837 | "startLine": 303, 838 | "endLine": 303, 839 | "startColumn": 9, 840 | "endColumn": 11 841 | } 842 | } 843 | } 844 | }, 845 | { 846 | "location": { 847 | "id": 4, 848 | "physicalLocation": { 849 | "artifactLocation": { 850 | "uri": "Modules/functions.php", 851 | "uriBaseId": "%SRCROOT%" 852 | }, 853 | "region": { 854 | "startLine": 309, 855 | "endLine": 309, 856 | "startColumn": 196, 857 | "endColumn": 198 858 | } 859 | } 860 | } 861 | }, 862 | { 863 | "location": { 864 | "id": 5, 865 | "physicalLocation": { 866 | "artifactLocation": { 867 | "uri": "Modules/functions.php", 868 | "uriBaseId": "%SRCROOT%" 869 | }, 870 | "region": { 871 | "startLine": 309, 872 | "endLine": 309, 873 | "startColumn": 30, 874 | "endColumn": 198 875 | } 876 | } 877 | } 878 | }, 879 | { 880 | "location": { 881 | "id": 6, 882 | "physicalLocation": { 883 | "artifactLocation": { 884 | "uri": "Modules/functions.php", 885 | "uriBaseId": "%SRCROOT%" 886 | }, 887 | "region": { 888 | "startLine": 309, 889 | "endLine": 309, 890 | "startColumn": 30, 891 | "endColumn": 212 892 | } 893 | } 894 | } 895 | }, 896 | { 897 | "location": { 898 | "id": 7, 899 | "physicalLocation": { 900 | "artifactLocation": { 901 | "uri": "Modules/functions.php", 902 | "uriBaseId": "%SRCROOT%" 903 | }, 904 | "region": { 905 | "startLine": 309, 906 | "endLine": 309, 907 | "startColumn": 30, 908 | "endColumn": 228 909 | } 910 | } 911 | } 912 | }, 913 | { 914 | "location": { 915 | "id": 8, 916 | "physicalLocation": { 917 | "artifactLocation": { 918 | "uri": "Modules/functions.php", 919 | "uriBaseId": "%SRCROOT%" 920 | }, 921 | "region": { 922 | "startLine": 309, 923 | "endLine": 309, 924 | "startColumn": 12, 925 | "endColumn": 274 926 | } 927 | } 928 | } 929 | } 930 | ] 931 | } 932 | ] 933 | } 934 | ], 935 | "properties": { 936 | "priorityScore": 803, 937 | "priorityScoreFactors": [ 938 | { 939 | "label": true, 940 | "type": "hotFileSource" 941 | }, 942 | { 943 | "label": true, 944 | "type": "fixExamples" 945 | } 946 | ] 947 | } 948 | }, 949 | { 950 | "ruleId": "php/InsecureRandomData", 951 | "ruleIndex": 2, 952 | "level": "error", 953 | "message": { 954 | "text": "An insecure random number generator is used to create an URL (the random value flows from rand). Consider using CSPRNG functions instead.", 955 | "markdown": "An insecure random number generator is used to create {0} (the random value flows from {1}). Consider using CSPRNG functions instead.", 956 | "arguments": [ 957 | "[an URL](0)", 958 | "[rand](1)" 959 | ] 960 | }, 961 | "locations": [ 962 | { 963 | "physicalLocation": { 964 | "artifactLocation": { 965 | "uri": "Modules/functions.php", 966 | "uriBaseId": "%SRCROOT%" 967 | }, 968 | "region": { 969 | "startLine": 37, 970 | "endLine": 37, 971 | "startColumn": 155, 972 | "endColumn": 166 973 | } 974 | } 975 | } 976 | ], 977 | "fingerprints": { 978 | "0": "5e44ae9973bcb6d745343eec5c8dc1799c1597798eaf9068de5e8b689b5bb1c2", 979 | "1": "703ebb77.464a7316.c3dea7ce.73a3d5be.af50231a.773652eb.a7efae7e.be170d97.703ebb77.464a7316.c3dea7ce.73a3d5be.af50231a.773652eb.a7efae7e.be170d97" 980 | }, 981 | "codeFlows": [ 982 | { 983 | "threadFlows": [ 984 | { 985 | "locations": [ 986 | { 987 | "location": { 988 | "id": 0, 989 | "physicalLocation": { 990 | "artifactLocation": { 991 | "uri": "Modules/functions.php", 992 | "uriBaseId": "%SRCROOT%" 993 | }, 994 | "region": { 995 | "startLine": 37, 996 | "endLine": 37, 997 | "startColumn": 155, 998 | "endColumn": 166 999 | } 1000 | } 1001 | } 1002 | }, 1003 | { 1004 | "location": { 1005 | "id": 1, 1006 | "physicalLocation": { 1007 | "artifactLocation": { 1008 | "uri": "Modules/functions.php", 1009 | "uriBaseId": "%SRCROOT%" 1010 | }, 1011 | "region": { 1012 | "startLine": 37, 1013 | "endLine": 37, 1014 | "startColumn": 155, 1015 | "endColumn": 166 1016 | } 1017 | } 1018 | } 1019 | } 1020 | ] 1021 | } 1022 | ] 1023 | } 1024 | ], 1025 | "properties": { 1026 | "priorityScore": 605, 1027 | "priorityScoreFactors": [ 1028 | { 1029 | "label": true, 1030 | "type": "multipleOccurrence" 1031 | }, 1032 | { 1033 | "label": true, 1034 | "type": "hotFileSource" 1035 | } 1036 | ] 1037 | } 1038 | }, 1039 | { 1040 | "ruleId": "php/InsecureRandomData", 1041 | "ruleIndex": 2, 1042 | "level": "error", 1043 | "message": { 1044 | "text": "An insecure random number generator is used to create an URL (the random value flows from rand). Consider using CSPRNG functions instead.", 1045 | "markdown": "An insecure random number generator is used to create {0} (the random value flows from {1}). Consider using CSPRNG functions instead.", 1046 | "arguments": [ 1047 | "[an URL](0)", 1048 | "[rand](1)" 1049 | ] 1050 | }, 1051 | "locations": [ 1052 | { 1053 | "physicalLocation": { 1054 | "artifactLocation": { 1055 | "uri": "Modules/functions.php", 1056 | "uriBaseId": "%SRCROOT%" 1057 | }, 1058 | "region": { 1059 | "startLine": 41, 1060 | "endLine": 41, 1061 | "startColumn": 243, 1062 | "endColumn": 254 1063 | } 1064 | } 1065 | } 1066 | ], 1067 | "fingerprints": { 1068 | "0": "c0efb0c50c453fe4570b71e4cc736a13f3033942968a441e5c12da9924f3f2d6", 1069 | "1": "703ebb77.464a7316.c3dea7ce.37e648b5.af50231a.773652eb.a7efae7e.be170d97.703ebb77.464a7316.a666b580.37e648b5.af50231a.dd23c7e4.a7efae7e.047105df" 1070 | }, 1071 | "codeFlows": [ 1072 | { 1073 | "threadFlows": [ 1074 | { 1075 | "locations": [ 1076 | { 1077 | "location": { 1078 | "id": 0, 1079 | "physicalLocation": { 1080 | "artifactLocation": { 1081 | "uri": "Modules/functions.php", 1082 | "uriBaseId": "%SRCROOT%" 1083 | }, 1084 | "region": { 1085 | "startLine": 41, 1086 | "endLine": 41, 1087 | "startColumn": 243, 1088 | "endColumn": 254 1089 | } 1090 | } 1091 | } 1092 | }, 1093 | { 1094 | "location": { 1095 | "id": 1, 1096 | "physicalLocation": { 1097 | "artifactLocation": { 1098 | "uri": "Modules/functions.php", 1099 | "uriBaseId": "%SRCROOT%" 1100 | }, 1101 | "region": { 1102 | "startLine": 41, 1103 | "endLine": 41, 1104 | "startColumn": 243, 1105 | "endColumn": 254 1106 | } 1107 | } 1108 | } 1109 | } 1110 | ] 1111 | } 1112 | ] 1113 | } 1114 | ], 1115 | "properties": { 1116 | "priorityScore": 605, 1117 | "priorityScoreFactors": [ 1118 | { 1119 | "label": true, 1120 | "type": "multipleOccurrence" 1121 | }, 1122 | { 1123 | "label": true, 1124 | "type": "hotFileSource" 1125 | } 1126 | ] 1127 | } 1128 | }, 1129 | { 1130 | "ruleId": "php/TooPermissiveCorsHeader", 1131 | "ruleIndex": 6, 1132 | "level": "warning", 1133 | "message": { 1134 | "text": "Setting Access-Control-Allow-Origin header to \"*\" in header might be too permissive. This allows malicious code on other domains to communicate with the application, which is a security risk", 1135 | "markdown": "Setting {0} to {1} in {2} might be too permissive. This allows malicious code on other domains to communicate with the application, which is a security risk", 1136 | "arguments": [ 1137 | "[Access-Control-Allow-Origin header](0)", 1138 | "[\"*\"](1)", 1139 | "[header](2)" 1140 | ] 1141 | }, 1142 | "locations": [ 1143 | { 1144 | "physicalLocation": { 1145 | "artifactLocation": { 1146 | "uri": "Modules/functions.php", 1147 | "uriBaseId": "%SRCROOT%" 1148 | }, 1149 | "region": { 1150 | "startLine": 3, 1151 | "endLine": 3, 1152 | "startColumn": 1, 1153 | "endColumn": 40 1154 | } 1155 | } 1156 | } 1157 | ], 1158 | "fingerprints": { 1159 | "0": "4f873614247ba637436288e094d94ae116f9fc982fc4503291c8af97978c2f5e", 1160 | "1": "ac863540.464a7316.5f4727d6.ae562fb3.975941ba.7e8b3801.42ed9a30.43dfb0a5.ac863540.464a7316.c3dea7ce.ae562fb3.975941ba.7e8b3801.a7efae7e.43dfb0a5" 1161 | }, 1162 | "codeFlows": [ 1163 | { 1164 | "threadFlows": [ 1165 | { 1166 | "locations": [ 1167 | { 1168 | "location": { 1169 | "id": 0, 1170 | "physicalLocation": { 1171 | "artifactLocation": { 1172 | "uri": "Modules/functions.php", 1173 | "uriBaseId": "%SRCROOT%" 1174 | }, 1175 | "region": { 1176 | "startLine": 3, 1177 | "endLine": 3, 1178 | "startColumn": 1, 1179 | "endColumn": 40 1180 | } 1181 | } 1182 | } 1183 | }, 1184 | { 1185 | "location": { 1186 | "id": 1, 1187 | "physicalLocation": { 1188 | "artifactLocation": { 1189 | "uri": "Modules/functions.php", 1190 | "uriBaseId": "%SRCROOT%" 1191 | }, 1192 | "region": { 1193 | "startLine": 3, 1194 | "endLine": 3, 1195 | "startColumn": 1, 1196 | "endColumn": 40 1197 | } 1198 | } 1199 | } 1200 | }, 1201 | { 1202 | "location": { 1203 | "id": 2, 1204 | "physicalLocation": { 1205 | "artifactLocation": { 1206 | "uri": "Modules/functions.php", 1207 | "uriBaseId": "%SRCROOT%" 1208 | }, 1209 | "region": { 1210 | "startLine": 3, 1211 | "endLine": 3, 1212 | "startColumn": 1, 1213 | "endColumn": 40 1214 | } 1215 | } 1216 | } 1217 | } 1218 | ] 1219 | } 1220 | ] 1221 | } 1222 | ], 1223 | "properties": { 1224 | "priorityScore": 555, 1225 | "priorityScoreFactors": [ 1226 | { 1227 | "label": true, 1228 | "type": "multipleOccurrence" 1229 | }, 1230 | { 1231 | "label": true, 1232 | "type": "hotFileSource" 1233 | }, 1234 | { 1235 | "label": true, 1236 | "type": "fixExamples" 1237 | } 1238 | ] 1239 | } 1240 | }, 1241 | { 1242 | "ruleId": "php/TooPermissiveCorsHeader", 1243 | "ruleIndex": 6, 1244 | "level": "warning", 1245 | "message": { 1246 | "text": "Setting Access-Control-Allow-Origin header to \"*\" in header might be too permissive. This allows malicious code on other domains to communicate with the application, which is a security risk", 1247 | "markdown": "Setting {0} to {1} in {2} might be too permissive. This allows malicious code on other domains to communicate with the application, which is a security risk", 1248 | "arguments": [ 1249 | "[Access-Control-Allow-Origin header](0)", 1250 | "[\"*\"](1)", 1251 | "[header](2)" 1252 | ] 1253 | }, 1254 | "locations": [ 1255 | { 1256 | "physicalLocation": { 1257 | "artifactLocation": { 1258 | "uri": "Public/dataProcessing.php", 1259 | "uriBaseId": "%SRCROOT%" 1260 | }, 1261 | "region": { 1262 | "startLine": 3, 1263 | "endLine": 3, 1264 | "startColumn": 1, 1265 | "endColumn": 40 1266 | } 1267 | } 1268 | } 1269 | ], 1270 | "fingerprints": { 1271 | "0": "9363e1d27910dbadd77a6fe8ac1863ec80b7e0f941e879cccc2fb3a504996a2c", 1272 | "1": "ac863540.464a7316.5f4727d6.ae562fb3.975941ba.7e8b3801.42ed9a30.43dfb0a5.ac863540.464a7316.c3dea7ce.ae562fb3.975941ba.7e8b3801.a7efae7e.43dfb0a5" 1273 | }, 1274 | "codeFlows": [ 1275 | { 1276 | "threadFlows": [ 1277 | { 1278 | "locations": [ 1279 | { 1280 | "location": { 1281 | "id": 0, 1282 | "physicalLocation": { 1283 | "artifactLocation": { 1284 | "uri": "Public/dataProcessing.php", 1285 | "uriBaseId": "%SRCROOT%" 1286 | }, 1287 | "region": { 1288 | "startLine": 3, 1289 | "endLine": 3, 1290 | "startColumn": 1, 1291 | "endColumn": 40 1292 | } 1293 | } 1294 | } 1295 | }, 1296 | { 1297 | "location": { 1298 | "id": 1, 1299 | "physicalLocation": { 1300 | "artifactLocation": { 1301 | "uri": "Public/dataProcessing.php", 1302 | "uriBaseId": "%SRCROOT%" 1303 | }, 1304 | "region": { 1305 | "startLine": 3, 1306 | "endLine": 3, 1307 | "startColumn": 1, 1308 | "endColumn": 40 1309 | } 1310 | } 1311 | } 1312 | }, 1313 | { 1314 | "location": { 1315 | "id": 2, 1316 | "physicalLocation": { 1317 | "artifactLocation": { 1318 | "uri": "Public/dataProcessing.php", 1319 | "uriBaseId": "%SRCROOT%" 1320 | }, 1321 | "region": { 1322 | "startLine": 3, 1323 | "endLine": 3, 1324 | "startColumn": 1, 1325 | "endColumn": 40 1326 | } 1327 | } 1328 | } 1329 | } 1330 | ] 1331 | } 1332 | ] 1333 | } 1334 | ], 1335 | "properties": { 1336 | "priorityScore": 555, 1337 | "priorityScoreFactors": [ 1338 | { 1339 | "label": true, 1340 | "type": "multipleOccurrence" 1341 | }, 1342 | { 1343 | "label": true, 1344 | "type": "hotFileSource" 1345 | }, 1346 | { 1347 | "label": true, 1348 | "type": "fixExamples" 1349 | } 1350 | ] 1351 | } 1352 | }, 1353 | { 1354 | "ruleId": "php/XSS", 1355 | "ruleIndex": 9, 1356 | "level": "error", 1357 | "message": { 1358 | "text": "Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1359 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1360 | "arguments": [ 1361 | "[an HTTP parameter](0)", 1362 | "[flows](1),(2),(3),(4)", 1363 | "[the echo statement](5)" 1364 | ] 1365 | }, 1366 | "locations": [ 1367 | { 1368 | "physicalLocation": { 1369 | "artifactLocation": { 1370 | "uri": "Public/dataProcessing.php", 1371 | "uriBaseId": "%SRCROOT%" 1372 | }, 1373 | "region": { 1374 | "startLine": 7, 1375 | "endLine": 7, 1376 | "startColumn": 5, 1377 | "endColumn": 128 1378 | } 1379 | } 1380 | } 1381 | ], 1382 | "fingerprints": { 1383 | "0": "6d7887a143bb841936e299a9423e484f6bdf1b15113b847ea825b202faf9f4a2", 1384 | "1": "4dc0a121.18ef32d2.c3dea7ce.1f144feb.b76b24a1.5f7acf51.a7efae7e.90b5ecc0.41cc2907.18ef32d2.3e2efea6.1f144feb.894c4921.e8bbe0f7.84054387.05d353bf" 1385 | }, 1386 | "codeFlows": [ 1387 | { 1388 | "threadFlows": [ 1389 | { 1390 | "locations": [ 1391 | { 1392 | "location": { 1393 | "id": 0, 1394 | "physicalLocation": { 1395 | "artifactLocation": { 1396 | "uri": "Public/dataProcessing.php", 1397 | "uriBaseId": "%SRCROOT%" 1398 | }, 1399 | "region": { 1400 | "startLine": 7, 1401 | "endLine": 7, 1402 | "startColumn": 109, 1403 | "endColumn": 120 1404 | } 1405 | } 1406 | } 1407 | }, 1408 | { 1409 | "location": { 1410 | "id": 1, 1411 | "physicalLocation": { 1412 | "artifactLocation": { 1413 | "uri": "Public/dataProcessing.php", 1414 | "uriBaseId": "%SRCROOT%" 1415 | }, 1416 | "region": { 1417 | "startLine": 7, 1418 | "endLine": 7, 1419 | "startColumn": 109, 1420 | "endColumn": 120 1421 | } 1422 | } 1423 | } 1424 | }, 1425 | { 1426 | "location": { 1427 | "id": 2, 1428 | "physicalLocation": { 1429 | "artifactLocation": { 1430 | "uri": "Public/dataProcessing.php", 1431 | "uriBaseId": "%SRCROOT%" 1432 | }, 1433 | "region": { 1434 | "startLine": 7, 1435 | "endLine": 7, 1436 | "startColumn": 10, 1437 | "endColumn": 120 1438 | } 1439 | } 1440 | } 1441 | }, 1442 | { 1443 | "location": { 1444 | "id": 3, 1445 | "physicalLocation": { 1446 | "artifactLocation": { 1447 | "uri": "Public/dataProcessing.php", 1448 | "uriBaseId": "%SRCROOT%" 1449 | }, 1450 | "region": { 1451 | "startLine": 7, 1452 | "endLine": 7, 1453 | "startColumn": 10, 1454 | "endColumn": 127 1455 | } 1456 | } 1457 | } 1458 | }, 1459 | { 1460 | "location": { 1461 | "id": 4, 1462 | "physicalLocation": { 1463 | "artifactLocation": { 1464 | "uri": "Public/dataProcessing.php", 1465 | "uriBaseId": "%SRCROOT%" 1466 | }, 1467 | "region": { 1468 | "startLine": 7, 1469 | "endLine": 7, 1470 | "startColumn": 5, 1471 | "endColumn": 128 1472 | } 1473 | } 1474 | } 1475 | }, 1476 | { 1477 | "location": { 1478 | "id": 5, 1479 | "physicalLocation": { 1480 | "artifactLocation": { 1481 | "uri": "Public/dataProcessing.php", 1482 | "uriBaseId": "%SRCROOT%" 1483 | }, 1484 | "region": { 1485 | "startLine": 7, 1486 | "endLine": 7, 1487 | "startColumn": 5, 1488 | "endColumn": 128 1489 | } 1490 | } 1491 | } 1492 | } 1493 | ] 1494 | } 1495 | ] 1496 | } 1497 | ], 1498 | "properties": { 1499 | "priorityScore": 809, 1500 | "priorityScoreFactors": [ 1501 | { 1502 | "label": true, 1503 | "type": "multipleOccurrence" 1504 | }, 1505 | { 1506 | "label": true, 1507 | "type": "hotFileSource" 1508 | }, 1509 | { 1510 | "label": true, 1511 | "type": "fixExamples" 1512 | } 1513 | ] 1514 | } 1515 | }, 1516 | { 1517 | "ruleId": "php/XSS", 1518 | "ruleIndex": 9, 1519 | "level": "error", 1520 | "message": { 1521 | "text": "Unsanitized input from an HTTP parameter flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1522 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1523 | "arguments": [ 1524 | "[an HTTP parameter](0)", 1525 | "[flows](1),(2),(3),(4),(5)", 1526 | "[the echo statement](6)" 1527 | ] 1528 | }, 1529 | "locations": [ 1530 | { 1531 | "physicalLocation": { 1532 | "artifactLocation": { 1533 | "uri": "Public/dataProcessing.php", 1534 | "uriBaseId": "%SRCROOT%" 1535 | }, 1536 | "region": { 1537 | "startLine": 28, 1538 | "endLine": 28, 1539 | "startColumn": 5, 1540 | "endColumn": 62 1541 | } 1542 | } 1543 | } 1544 | ], 1545 | "fingerprints": { 1546 | "0": "c6512659e3565383aa5e4e0815482db37f5bbb1759a95def68ff9db547b07461", 1547 | "1": "41cc2907.b87f6f01.c3dea7ce.1f144feb.caa16d4a.e8bbe0f7.a7efae7e.05d353bf.41cc2907.464a7316.d7c06288.1f144feb.894c4921.e8bbe0f7.a7efae7e.be170d97" 1548 | }, 1549 | "codeFlows": [ 1550 | { 1551 | "threadFlows": [ 1552 | { 1553 | "locations": [ 1554 | { 1555 | "location": { 1556 | "id": 0, 1557 | "physicalLocation": { 1558 | "artifactLocation": { 1559 | "uri": "Public/dataProcessing.php", 1560 | "uriBaseId": "%SRCROOT%" 1561 | }, 1562 | "region": { 1563 | "startLine": 28, 1564 | "endLine": 28, 1565 | "startColumn": 41, 1566 | "endColumn": 53 1567 | } 1568 | } 1569 | } 1570 | }, 1571 | { 1572 | "location": { 1573 | "id": 1, 1574 | "physicalLocation": { 1575 | "artifactLocation": { 1576 | "uri": "Public/dataProcessing.php", 1577 | "uriBaseId": "%SRCROOT%" 1578 | }, 1579 | "region": { 1580 | "startLine": 28, 1581 | "endLine": 28, 1582 | "startColumn": 41, 1583 | "endColumn": 53 1584 | } 1585 | } 1586 | } 1587 | }, 1588 | { 1589 | "location": { 1590 | "id": 2, 1591 | "physicalLocation": { 1592 | "artifactLocation": { 1593 | "uri": "Public/dataProcessing.php", 1594 | "uriBaseId": "%SRCROOT%" 1595 | }, 1596 | "region": { 1597 | "startLine": 28, 1598 | "endLine": 28, 1599 | "startColumn": 29, 1600 | "endColumn": 54 1601 | } 1602 | } 1603 | } 1604 | }, 1605 | { 1606 | "location": { 1607 | "id": 3, 1608 | "physicalLocation": { 1609 | "artifactLocation": { 1610 | "uri": "Public/dataProcessing.php", 1611 | "uriBaseId": "%SRCROOT%" 1612 | }, 1613 | "region": { 1614 | "startLine": 28, 1615 | "endLine": 28, 1616 | "startColumn": 10, 1617 | "endColumn": 54 1618 | } 1619 | } 1620 | } 1621 | }, 1622 | { 1623 | "location": { 1624 | "id": 4, 1625 | "physicalLocation": { 1626 | "artifactLocation": { 1627 | "uri": "Public/dataProcessing.php", 1628 | "uriBaseId": "%SRCROOT%" 1629 | }, 1630 | "region": { 1631 | "startLine": 28, 1632 | "endLine": 28, 1633 | "startColumn": 10, 1634 | "endColumn": 61 1635 | } 1636 | } 1637 | } 1638 | }, 1639 | { 1640 | "location": { 1641 | "id": 5, 1642 | "physicalLocation": { 1643 | "artifactLocation": { 1644 | "uri": "Public/dataProcessing.php", 1645 | "uriBaseId": "%SRCROOT%" 1646 | }, 1647 | "region": { 1648 | "startLine": 28, 1649 | "endLine": 28, 1650 | "startColumn": 5, 1651 | "endColumn": 62 1652 | } 1653 | } 1654 | } 1655 | }, 1656 | { 1657 | "location": { 1658 | "id": 6, 1659 | "physicalLocation": { 1660 | "artifactLocation": { 1661 | "uri": "Public/dataProcessing.php", 1662 | "uriBaseId": "%SRCROOT%" 1663 | }, 1664 | "region": { 1665 | "startLine": 28, 1666 | "endLine": 28, 1667 | "startColumn": 5, 1668 | "endColumn": 62 1669 | } 1670 | } 1671 | } 1672 | } 1673 | ] 1674 | } 1675 | ] 1676 | } 1677 | ], 1678 | "properties": { 1679 | "priorityScore": 809, 1680 | "priorityScoreFactors": [ 1681 | { 1682 | "label": true, 1683 | "type": "multipleOccurrence" 1684 | }, 1685 | { 1686 | "label": true, 1687 | "type": "hotFileSource" 1688 | }, 1689 | { 1690 | "label": true, 1691 | "type": "fixExamples" 1692 | } 1693 | ] 1694 | } 1695 | }, 1696 | { 1697 | "ruleId": "php/XSS", 1698 | "ruleIndex": 9, 1699 | "level": "error", 1700 | "message": { 1701 | "text": "Unsanitized input from data from a remote resource flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1702 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1703 | "arguments": [ 1704 | "[data from a remote resource](0)", 1705 | "[flows](1),(2),(3),(4),(5),(6)", 1706 | "[the echo statement](7)" 1707 | ] 1708 | }, 1709 | "locations": [ 1710 | { 1711 | "physicalLocation": { 1712 | "artifactLocation": { 1713 | "uri": "Modules/functions.php", 1714 | "uriBaseId": "%SRCROOT%" 1715 | }, 1716 | "region": { 1717 | "startLine": 31, 1718 | "endLine": 31, 1719 | "startColumn": 5, 1720 | "endColumn": 38 1721 | } 1722 | } 1723 | } 1724 | ], 1725 | "fingerprints": { 1726 | "0": "f2de60990abaacebbe831dbec854774e653603020e709cba3f8abbab304045d9", 1727 | "1": "2c80a54c.18ef32d2.2683ade8.1f144feb.b76b24a1.7dac33c0.60b22c1d.8fbce61d.86be1e70.464a7316.c3dea7ce.abd479c7.c7a41f28.c62804f2.60b22c1d.be170d97" 1728 | }, 1729 | "codeFlows": [ 1730 | { 1731 | "threadFlows": [ 1732 | { 1733 | "locations": [ 1734 | { 1735 | "location": { 1736 | "id": 0, 1737 | "physicalLocation": { 1738 | "artifactLocation": { 1739 | "uri": "Modules/functions.php", 1740 | "uriBaseId": "%SRCROOT%" 1741 | }, 1742 | "region": { 1743 | "startLine": 30, 1744 | "endLine": 30, 1745 | "startColumn": 27, 1746 | "endColumn": 62 1747 | } 1748 | } 1749 | } 1750 | }, 1751 | { 1752 | "location": { 1753 | "id": 1, 1754 | "physicalLocation": { 1755 | "artifactLocation": { 1756 | "uri": "Modules/functions.php", 1757 | "uriBaseId": "%SRCROOT%" 1758 | }, 1759 | "region": { 1760 | "startLine": 30, 1761 | "endLine": 30, 1762 | "startColumn": 27, 1763 | "endColumn": 62 1764 | } 1765 | } 1766 | } 1767 | }, 1768 | { 1769 | "location": { 1770 | "id": 2, 1771 | "physicalLocation": { 1772 | "artifactLocation": { 1773 | "uri": "Modules/functions.php", 1774 | "uriBaseId": "%SRCROOT%" 1775 | }, 1776 | "region": { 1777 | "startLine": 30, 1778 | "endLine": 30, 1779 | "startColumn": 15, 1780 | "endColumn": 69 1781 | } 1782 | } 1783 | } 1784 | }, 1785 | { 1786 | "location": { 1787 | "id": 3, 1788 | "physicalLocation": { 1789 | "artifactLocation": { 1790 | "uri": "Modules/functions.php", 1791 | "uriBaseId": "%SRCROOT%" 1792 | }, 1793 | "region": { 1794 | "startLine": 30, 1795 | "endLine": 30, 1796 | "startColumn": 5, 1797 | "endColumn": 11 1798 | } 1799 | } 1800 | } 1801 | }, 1802 | { 1803 | "location": { 1804 | "id": 4, 1805 | "physicalLocation": { 1806 | "artifactLocation": { 1807 | "uri": "Modules/functions.php", 1808 | "uriBaseId": "%SRCROOT%" 1809 | }, 1810 | "region": { 1811 | "startLine": 31, 1812 | "endLine": 31, 1813 | "startColumn": 10, 1814 | "endColumn": 16 1815 | } 1816 | } 1817 | } 1818 | }, 1819 | { 1820 | "location": { 1821 | "id": 5, 1822 | "physicalLocation": { 1823 | "artifactLocation": { 1824 | "uri": "Modules/functions.php", 1825 | "uriBaseId": "%SRCROOT%" 1826 | }, 1827 | "region": { 1828 | "startLine": 31, 1829 | "endLine": 31, 1830 | "startColumn": 10, 1831 | "endColumn": 37 1832 | } 1833 | } 1834 | } 1835 | }, 1836 | { 1837 | "location": { 1838 | "id": 6, 1839 | "physicalLocation": { 1840 | "artifactLocation": { 1841 | "uri": "Modules/functions.php", 1842 | "uriBaseId": "%SRCROOT%" 1843 | }, 1844 | "region": { 1845 | "startLine": 31, 1846 | "endLine": 31, 1847 | "startColumn": 5, 1848 | "endColumn": 38 1849 | } 1850 | } 1851 | } 1852 | }, 1853 | { 1854 | "location": { 1855 | "id": 7, 1856 | "physicalLocation": { 1857 | "artifactLocation": { 1858 | "uri": "Modules/functions.php", 1859 | "uriBaseId": "%SRCROOT%" 1860 | }, 1861 | "region": { 1862 | "startLine": 31, 1863 | "endLine": 31, 1864 | "startColumn": 5, 1865 | "endColumn": 38 1866 | } 1867 | } 1868 | } 1869 | } 1870 | ] 1871 | } 1872 | ] 1873 | } 1874 | ], 1875 | "properties": { 1876 | "priorityScore": 809, 1877 | "priorityScoreFactors": [ 1878 | { 1879 | "label": true, 1880 | "type": "multipleOccurrence" 1881 | }, 1882 | { 1883 | "label": true, 1884 | "type": "hotFileSource" 1885 | }, 1886 | { 1887 | "label": true, 1888 | "type": "fixExamples" 1889 | } 1890 | ] 1891 | } 1892 | }, 1893 | { 1894 | "ruleId": "php/XSS", 1895 | "ruleIndex": 9, 1896 | "level": "error", 1897 | "message": { 1898 | "text": "Unsanitized input from data from a remote resource flows into the echo statement, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1899 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", 1900 | "arguments": [ 1901 | "[data from a remote resource](0)", 1902 | "[flows](1),(2),(3),(4),(5),(6),(7),(8)", 1903 | "[the echo statement](9)" 1904 | ] 1905 | }, 1906 | "locations": [ 1907 | { 1908 | "physicalLocation": { 1909 | "artifactLocation": { 1910 | "uri": "Public/dataProcessing.php", 1911 | "uriBaseId": "%SRCROOT%" 1912 | }, 1913 | "region": { 1914 | "startLine": 26, 1915 | "endLine": 26, 1916 | "startColumn": 5, 1917 | "endColumn": 64 1918 | } 1919 | } 1920 | } 1921 | ], 1922 | "fingerprints": { 1923 | "0": "6442d3eb793de560906527e0ef297b203cbab9d28ea6b4cd4259ac58183a56b9", 1924 | "1": "41cc2907.18ef32d2.2683ade8.1f144feb.caa16d4a.e8bbe0f7.445c8611.05d353bf.86be1e70.464a7316.2173882d.abd479c7.c7a41f28.e8bbe0f7.2174662d.be170d97" 1925 | }, 1926 | "codeFlows": [ 1927 | { 1928 | "threadFlows": [ 1929 | { 1930 | "locations": [ 1931 | { 1932 | "location": { 1933 | "id": 0, 1934 | "physicalLocation": { 1935 | "artifactLocation": { 1936 | "uri": "Public/dataProcessing.php", 1937 | "uriBaseId": "%SRCROOT%" 1938 | }, 1939 | "region": { 1940 | "startLine": 25, 1941 | "endLine": 25, 1942 | "startColumn": 34, 1943 | "endColumn": 69 1944 | } 1945 | } 1946 | } 1947 | }, 1948 | { 1949 | "location": { 1950 | "id": 1, 1951 | "physicalLocation": { 1952 | "artifactLocation": { 1953 | "uri": "Public/dataProcessing.php", 1954 | "uriBaseId": "%SRCROOT%" 1955 | }, 1956 | "region": { 1957 | "startLine": 25, 1958 | "endLine": 25, 1959 | "startColumn": 34, 1960 | "endColumn": 69 1961 | } 1962 | } 1963 | } 1964 | }, 1965 | { 1966 | "location": { 1967 | "id": 2, 1968 | "physicalLocation": { 1969 | "artifactLocation": { 1970 | "uri": "Public/dataProcessing.php", 1971 | "uriBaseId": "%SRCROOT%" 1972 | }, 1973 | "region": { 1974 | "startLine": 25, 1975 | "endLine": 25, 1976 | "startColumn": 22, 1977 | "endColumn": 76 1978 | } 1979 | } 1980 | } 1981 | }, 1982 | { 1983 | "location": { 1984 | "id": 3, 1985 | "physicalLocation": { 1986 | "artifactLocation": { 1987 | "uri": "Public/dataProcessing.php", 1988 | "uriBaseId": "%SRCROOT%" 1989 | }, 1990 | "region": { 1991 | "startLine": 25, 1992 | "endLine": 25, 1993 | "startColumn": 5, 1994 | "endColumn": 18 1995 | } 1996 | } 1997 | } 1998 | }, 1999 | { 2000 | "location": { 2001 | "id": 4, 2002 | "physicalLocation": { 2003 | "artifactLocation": { 2004 | "uri": "Public/dataProcessing.php", 2005 | "uriBaseId": "%SRCROOT%" 2006 | }, 2007 | "region": { 2008 | "startLine": 26, 2009 | "endLine": 26, 2010 | "startColumn": 29, 2011 | "endColumn": 42 2012 | } 2013 | } 2014 | } 2015 | }, 2016 | { 2017 | "location": { 2018 | "id": 5, 2019 | "physicalLocation": { 2020 | "artifactLocation": { 2021 | "uri": "Public/dataProcessing.php", 2022 | "uriBaseId": "%SRCROOT%" 2023 | }, 2024 | "region": { 2025 | "startLine": 26, 2026 | "endLine": 26, 2027 | "startColumn": 29, 2028 | "endColumn": 56 2029 | } 2030 | } 2031 | } 2032 | }, 2033 | { 2034 | "location": { 2035 | "id": 6, 2036 | "physicalLocation": { 2037 | "artifactLocation": { 2038 | "uri": "Public/dataProcessing.php", 2039 | "uriBaseId": "%SRCROOT%" 2040 | }, 2041 | "region": { 2042 | "startLine": 26, 2043 | "endLine": 26, 2044 | "startColumn": 10, 2045 | "endColumn": 56 2046 | } 2047 | } 2048 | } 2049 | }, 2050 | { 2051 | "location": { 2052 | "id": 7, 2053 | "physicalLocation": { 2054 | "artifactLocation": { 2055 | "uri": "Public/dataProcessing.php", 2056 | "uriBaseId": "%SRCROOT%" 2057 | }, 2058 | "region": { 2059 | "startLine": 26, 2060 | "endLine": 26, 2061 | "startColumn": 10, 2062 | "endColumn": 63 2063 | } 2064 | } 2065 | } 2066 | }, 2067 | { 2068 | "location": { 2069 | "id": 8, 2070 | "physicalLocation": { 2071 | "artifactLocation": { 2072 | "uri": "Public/dataProcessing.php", 2073 | "uriBaseId": "%SRCROOT%" 2074 | }, 2075 | "region": { 2076 | "startLine": 26, 2077 | "endLine": 26, 2078 | "startColumn": 5, 2079 | "endColumn": 64 2080 | } 2081 | } 2082 | } 2083 | }, 2084 | { 2085 | "location": { 2086 | "id": 9, 2087 | "physicalLocation": { 2088 | "artifactLocation": { 2089 | "uri": "Public/dataProcessing.php", 2090 | "uriBaseId": "%SRCROOT%" 2091 | }, 2092 | "region": { 2093 | "startLine": 26, 2094 | "endLine": 26, 2095 | "startColumn": 5, 2096 | "endColumn": 64 2097 | } 2098 | } 2099 | } 2100 | } 2101 | ] 2102 | } 2103 | ] 2104 | } 2105 | ], 2106 | "properties": { 2107 | "priorityScore": 809, 2108 | "priorityScoreFactors": [ 2109 | { 2110 | "label": true, 2111 | "type": "multipleOccurrence" 2112 | }, 2113 | { 2114 | "label": true, 2115 | "type": "hotFileSource" 2116 | }, 2117 | { 2118 | "label": true, 2119 | "type": "fixExamples" 2120 | } 2121 | ] 2122 | } 2123 | }, 2124 | { 2125 | "ruleId": "javascript/DOMXSS", 2126 | "ruleIndex": 10, 2127 | "level": "error", 2128 | "message": { 2129 | "text": "Unsanitized input from data from a remote resource flows into innerHTML, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).", 2130 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).", 2131 | "arguments": [ 2132 | "[data from a remote resource](0)", 2133 | "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11)", 2134 | "[innerHTML](12)" 2135 | ] 2136 | }, 2137 | "locations": [ 2138 | { 2139 | "physicalLocation": { 2140 | "artifactLocation": { 2141 | "uri": "Public/assets/js/formContentUpdate.js", 2142 | "uriBaseId": "%SRCROOT%" 2143 | }, 2144 | "region": { 2145 | "startLine": 16, 2146 | "endLine": 16, 2147 | "startColumn": 9, 2148 | "endColumn": 62 2149 | } 2150 | } 2151 | } 2152 | ], 2153 | "fingerprints": { 2154 | "0": "ce55a5838ef57ff201e4c536c1f045db02f4f3f291dc3f88216ea85f1909dce0", 2155 | "1": "cf7733e4.4773f344.607187b5.a517c54b.9cde7c93.dbe83c7e.0b4f0b50.9b5cefb9.e34a61c9.7d4b7307.aff85a25.313735ce.4111b6ce.dbe83c7e.4d06057c.3406c8c7" 2156 | }, 2157 | "codeFlows": [ 2158 | { 2159 | "threadFlows": [ 2160 | { 2161 | "locations": [ 2162 | { 2163 | "location": { 2164 | "id": 0, 2165 | "physicalLocation": { 2166 | "artifactLocation": { 2167 | "uri": "Public/assets/js/formContentUpdate.js", 2168 | "uriBaseId": "%SRCROOT%" 2169 | }, 2170 | "region": { 2171 | "startLine": 6, 2172 | "endLine": 6, 2173 | "startColumn": 16, 2174 | "endColumn": 70 2175 | } 2176 | } 2177 | } 2178 | }, 2179 | { 2180 | "location": { 2181 | "id": 1, 2182 | "physicalLocation": { 2183 | "artifactLocation": { 2184 | "uri": "Public/assets/js/formContentUpdate.js", 2185 | "uriBaseId": "%SRCROOT%" 2186 | }, 2187 | "region": { 2188 | "startLine": 6, 2189 | "endLine": 6, 2190 | "startColumn": 16, 2191 | "endColumn": 70 2192 | } 2193 | } 2194 | } 2195 | }, 2196 | { 2197 | "location": { 2198 | "id": 2, 2199 | "physicalLocation": { 2200 | "artifactLocation": { 2201 | "uri": "Public/assets/js/formContentUpdate.js", 2202 | "uriBaseId": "%SRCROOT%" 2203 | }, 2204 | "region": { 2205 | "startLine": 7, 2206 | "endLine": 7, 2207 | "startColumn": 20, 2208 | "endColumn": 27 2209 | } 2210 | } 2211 | } 2212 | }, 2213 | { 2214 | "location": { 2215 | "id": 3, 2216 | "physicalLocation": { 2217 | "artifactLocation": { 2218 | "uri": "Public/assets/js/formContentUpdate.js", 2219 | "uriBaseId": "%SRCROOT%" 2220 | }, 2221 | "region": { 2222 | "startLine": 7, 2223 | "endLine": 7, 2224 | "startColumn": 33, 2225 | "endColumn": 40 2226 | } 2227 | } 2228 | } 2229 | }, 2230 | { 2231 | "location": { 2232 | "id": 4, 2233 | "physicalLocation": { 2234 | "artifactLocation": { 2235 | "uri": "Public/assets/js/formContentUpdate.js", 2236 | "uriBaseId": "%SRCROOT%" 2237 | }, 2238 | "region": { 2239 | "startLine": 7, 2240 | "endLine": 7, 2241 | "startColumn": 33, 2242 | "endColumn": 45 2243 | } 2244 | } 2245 | } 2246 | }, 2247 | { 2248 | "location": { 2249 | "id": 5, 2250 | "physicalLocation": { 2251 | "artifactLocation": { 2252 | "uri": "Public/assets/js/formContentUpdate.js", 2253 | "uriBaseId": "%SRCROOT%" 2254 | }, 2255 | "region": { 2256 | "startLine": 7, 2257 | "endLine": 7, 2258 | "startColumn": 33, 2259 | "endColumn": 47 2260 | } 2261 | } 2262 | } 2263 | }, 2264 | { 2265 | "location": { 2266 | "id": 6, 2267 | "physicalLocation": { 2268 | "artifactLocation": { 2269 | "uri": "Public/assets/js/formContentUpdate.js", 2270 | "uriBaseId": "%SRCROOT%" 2271 | }, 2272 | "region": { 2273 | "startLine": 8, 2274 | "endLine": 8, 2275 | "startColumn": 20, 2276 | "endColumn": 31 2277 | } 2278 | } 2279 | } 2280 | }, 2281 | { 2282 | "location": { 2283 | "id": 7, 2284 | "physicalLocation": { 2285 | "artifactLocation": { 2286 | "uri": "Public/assets/js/formContentUpdate.js", 2287 | "uriBaseId": "%SRCROOT%" 2288 | }, 2289 | "region": { 2290 | "startLine": 9, 2291 | "endLine": 9, 2292 | "startColumn": 24, 2293 | "endColumn": 35 2294 | } 2295 | } 2296 | } 2297 | }, 2298 | { 2299 | "location": { 2300 | "id": 8, 2301 | "physicalLocation": { 2302 | "artifactLocation": { 2303 | "uri": "Public/assets/js/formContentUpdate.js", 2304 | "uriBaseId": "%SRCROOT%" 2305 | }, 2306 | "region": { 2307 | "startLine": 12, 2308 | "endLine": 12, 2309 | "startColumn": 5, 2310 | "endColumn": 15 2311 | } 2312 | } 2313 | } 2314 | }, 2315 | { 2316 | "location": { 2317 | "id": 9, 2318 | "physicalLocation": { 2319 | "artifactLocation": { 2320 | "uri": "Public/assets/js/formContentUpdate.js", 2321 | "uriBaseId": "%SRCROOT%" 2322 | }, 2323 | "region": { 2324 | "startLine": 12, 2325 | "endLine": 12, 2326 | "startColumn": 22, 2327 | "endColumn": 25 2328 | } 2329 | } 2330 | } 2331 | }, 2332 | { 2333 | "location": { 2334 | "id": 10, 2335 | "physicalLocation": { 2336 | "artifactLocation": { 2337 | "uri": "Public/assets/js/formContentUpdate.js", 2338 | "uriBaseId": "%SRCROOT%" 2339 | }, 2340 | "region": { 2341 | "startLine": 13, 2342 | "endLine": 13, 2343 | "startColumn": 39, 2344 | "endColumn": 42 2345 | } 2346 | } 2347 | } 2348 | }, 2349 | { 2350 | "location": { 2351 | "id": 11, 2352 | "physicalLocation": { 2353 | "artifactLocation": { 2354 | "uri": "Public/assets/js/formContentUpdate.js", 2355 | "uriBaseId": "%SRCROOT%" 2356 | }, 2357 | "region": { 2358 | "startLine": 16, 2359 | "endLine": 16, 2360 | "startColumn": 54, 2361 | "endColumn": 62 2362 | } 2363 | } 2364 | } 2365 | }, 2366 | { 2367 | "location": { 2368 | "id": 12, 2369 | "physicalLocation": { 2370 | "artifactLocation": { 2371 | "uri": "Public/assets/js/formContentUpdate.js", 2372 | "uriBaseId": "%SRCROOT%" 2373 | }, 2374 | "region": { 2375 | "startLine": 16, 2376 | "endLine": 16, 2377 | "startColumn": 9, 2378 | "endColumn": 62 2379 | } 2380 | } 2381 | } 2382 | } 2383 | ] 2384 | } 2385 | ] 2386 | } 2387 | ], 2388 | "properties": { 2389 | "priorityScore": 905, 2390 | "priorityScoreFactors": [ 2391 | { 2392 | "label": true, 2393 | "type": "multipleOccurrence" 2394 | }, 2395 | { 2396 | "label": true, 2397 | "type": "hotFileSource" 2398 | }, 2399 | { 2400 | "label": true, 2401 | "type": "fixExamples" 2402 | }, 2403 | { 2404 | "label": true, 2405 | "type": "commonlyFixed" 2406 | } 2407 | ] 2408 | } 2409 | }, 2410 | { 2411 | "ruleId": "javascript/DOMXSS", 2412 | "ruleIndex": 10, 2413 | "level": "error", 2414 | "message": { 2415 | "text": "Unsanitized input from data from a remote resource flows into innerHTML, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).", 2416 | "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).", 2417 | "arguments": [ 2418 | "[data from a remote resource](0)", 2419 | "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9)", 2420 | "[innerHTML](10)" 2421 | ] 2422 | }, 2423 | "locations": [ 2424 | { 2425 | "physicalLocation": { 2426 | "artifactLocation": { 2427 | "uri": "Public/assets/js/formContentUpdate.js", 2428 | "uriBaseId": "%SRCROOT%" 2429 | }, 2430 | "region": { 2431 | "startLine": 44, 2432 | "endLine": 44, 2433 | "startColumn": 13, 2434 | "endColumn": 61 2435 | } 2436 | } 2437 | } 2438 | ], 2439 | "fingerprints": { 2440 | "0": "7bc01794a0e1a4d23f87d9a075625c2a7f880457adee8cefa8f17d797fc3c70e", 2441 | "1": "3df95e84.7d4b7307.607187b5.a517c54b.9cde7c93.dbe83c7e.6977003a.aac0d16c.e34a61c9.7d4b7307.aff85a25.313735ce.fd1fa73f.dbe83c7e.83265159.3406c8c7" 2442 | }, 2443 | "codeFlows": [ 2444 | { 2445 | "threadFlows": [ 2446 | { 2447 | "locations": [ 2448 | { 2449 | "location": { 2450 | "id": 0, 2451 | "physicalLocation": { 2452 | "artifactLocation": { 2453 | "uri": "Public/assets/js/formContentUpdate.js", 2454 | "uriBaseId": "%SRCROOT%" 2455 | }, 2456 | "region": { 2457 | "startLine": 32, 2458 | "endLine": 32, 2459 | "startColumn": 5, 2460 | "endColumn": 53 2461 | } 2462 | } 2463 | } 2464 | }, 2465 | { 2466 | "location": { 2467 | "id": 1, 2468 | "physicalLocation": { 2469 | "artifactLocation": { 2470 | "uri": "Public/assets/js/formContentUpdate.js", 2471 | "uriBaseId": "%SRCROOT%" 2472 | }, 2473 | "region": { 2474 | "startLine": 32, 2475 | "endLine": 32, 2476 | "startColumn": 5, 2477 | "endColumn": 53 2478 | } 2479 | } 2480 | } 2481 | }, 2482 | { 2483 | "location": { 2484 | "id": 2, 2485 | "physicalLocation": { 2486 | "artifactLocation": { 2487 | "uri": "Public/assets/js/formContentUpdate.js", 2488 | "uriBaseId": "%SRCROOT%" 2489 | }, 2490 | "region": { 2491 | "startLine": 32, 2492 | "endLine": 32, 2493 | "startColumn": 60, 2494 | "endColumn": 67 2495 | } 2496 | } 2497 | } 2498 | }, 2499 | { 2500 | "location": { 2501 | "id": 3, 2502 | "physicalLocation": { 2503 | "artifactLocation": { 2504 | "uri": "Public/assets/js/formContentUpdate.js", 2505 | "uriBaseId": "%SRCROOT%" 2506 | }, 2507 | "region": { 2508 | "startLine": 32, 2509 | "endLine": 32, 2510 | "startColumn": 72, 2511 | "endColumn": 79 2512 | } 2513 | } 2514 | } 2515 | }, 2516 | { 2517 | "location": { 2518 | "id": 4, 2519 | "physicalLocation": { 2520 | "artifactLocation": { 2521 | "uri": "Public/assets/js/formContentUpdate.js", 2522 | "uriBaseId": "%SRCROOT%" 2523 | }, 2524 | "region": { 2525 | "startLine": 32, 2526 | "endLine": 32, 2527 | "startColumn": 72, 2528 | "endColumn": 84 2529 | } 2530 | } 2531 | } 2532 | }, 2533 | { 2534 | "location": { 2535 | "id": 5, 2536 | "physicalLocation": { 2537 | "artifactLocation": { 2538 | "uri": "Public/assets/js/formContentUpdate.js", 2539 | "uriBaseId": "%SRCROOT%" 2540 | }, 2541 | "region": { 2542 | "startLine": 32, 2543 | "endLine": 32, 2544 | "startColumn": 72, 2545 | "endColumn": 86 2546 | } 2547 | } 2548 | } 2549 | }, 2550 | { 2551 | "location": { 2552 | "id": 6, 2553 | "physicalLocation": { 2554 | "artifactLocation": { 2555 | "uri": "Public/assets/js/formContentUpdate.js", 2556 | "uriBaseId": "%SRCROOT%" 2557 | }, 2558 | "region": { 2559 | "startLine": 32, 2560 | "endLine": 32, 2561 | "startColumn": 5, 2562 | "endColumn": 58 2563 | } 2564 | } 2565 | } 2566 | }, 2567 | { 2568 | "location": { 2569 | "id": 7, 2570 | "physicalLocation": { 2571 | "artifactLocation": { 2572 | "uri": "Public/assets/js/formContentUpdate.js", 2573 | "uriBaseId": "%SRCROOT%" 2574 | }, 2575 | "region": { 2576 | "startLine": 32, 2577 | "endLine": 32, 2578 | "startColumn": 94, 2579 | "endColumn": 97 2580 | } 2581 | } 2582 | } 2583 | }, 2584 | { 2585 | "location": { 2586 | "id": 8, 2587 | "physicalLocation": { 2588 | "artifactLocation": { 2589 | "uri": "Public/assets/js/formContentUpdate.js", 2590 | "uriBaseId": "%SRCROOT%" 2591 | }, 2592 | "region": { 2593 | "startLine": 33, 2594 | "endLine": 33, 2595 | "startColumn": 14, 2596 | "endColumn": 17 2597 | } 2598 | } 2599 | } 2600 | }, 2601 | { 2602 | "location": { 2603 | "id": 9, 2604 | "physicalLocation": { 2605 | "artifactLocation": { 2606 | "uri": "Public/assets/js/formContentUpdate.js", 2607 | "uriBaseId": "%SRCROOT%" 2608 | }, 2609 | "region": { 2610 | "startLine": 44, 2611 | "endLine": 44, 2612 | "startColumn": 53, 2613 | "endColumn": 61 2614 | } 2615 | } 2616 | } 2617 | }, 2618 | { 2619 | "location": { 2620 | "id": 10, 2621 | "physicalLocation": { 2622 | "artifactLocation": { 2623 | "uri": "Public/assets/js/formContentUpdate.js", 2624 | "uriBaseId": "%SRCROOT%" 2625 | }, 2626 | "region": { 2627 | "startLine": 44, 2628 | "endLine": 44, 2629 | "startColumn": 13, 2630 | "endColumn": 61 2631 | } 2632 | } 2633 | } 2634 | } 2635 | ] 2636 | } 2637 | ] 2638 | } 2639 | ], 2640 | "properties": { 2641 | "priorityScore": 905, 2642 | "priorityScoreFactors": [ 2643 | { 2644 | "label": true, 2645 | "type": "multipleOccurrence" 2646 | }, 2647 | { 2648 | "label": true, 2649 | "type": "hotFileSource" 2650 | }, 2651 | { 2652 | "label": true, 2653 | "type": "fixExamples" 2654 | }, 2655 | { 2656 | "label": true, 2657 | "type": "commonlyFixed" 2658 | } 2659 | ] 2660 | } 2661 | } 2662 | ], 2663 | "properties": { 2664 | "coverage": [ 2665 | { 2666 | "files": 11, 2667 | "isSupported": true, 2668 | "lang": "PHP" 2669 | }, 2670 | { 2671 | "files": 4, 2672 | "isSupported": true, 2673 | "lang": "JavaScript" 2674 | } 2675 | ] 2676 | } 2677 | } 2678 | ] 2679 | } 2680 | -------------------------------------------------------------------------------- /.version: -------------------------------------------------------------------------------- 1 | { "BRANCH": "main", "VERSION":"1.1.15" } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 axtonprice, QuickBlaze 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /Modules/.htaccess: -------------------------------------------------------------------------------- 1 | deny from all -------------------------------------------------------------------------------- /Modules/Database_example.env: -------------------------------------------------------------------------------- 1 | { 2 | "HOSTNAME": "", 3 | "USERNAME": "", 4 | "PASSWORD": "", 5 | "DATABASE": "" 6 | } 7 | -------------------------------------------------------------------------------- /Modules/functions.php: -------------------------------------------------------------------------------- 1 | $latestVersion["BRANCH"], "VERSION" => $latestVersion["VERSION"], "LANGUAGE" => "auto"))); 39 | } 40 | $thisVersion = json_decode(file_get_contents("./.version", true), true); 41 | $latestVersion = json_decode(file_get_contents("https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/" . filter_var(htmlspecialchars($thisVersion["BRANCH"]), FILTER_SANITIZE_FULL_SPECIAL_CHARS) . "/.version?cacheUpdate=" . rand(0, 100), true), true); 42 | if ($thisVersion["BRANCH"] == "dev" && $thisVersion["VERSION"] != $latestVersion["VERSION"]) { 43 | return 'v' . $thisVersion["VERSION"] . ' (' . translate("Unreleased") . '!)'; 44 | } else { 45 | if ($thisVersion["BRANCH"] == "main" && $thisVersion["VERSION"] != $latestVersion["VERSION"]) { 46 | return 'v' . $thisVersion["VERSION"] . ' (' . translate("Outdated") . '!)'; 47 | } else { 48 | return 'v' . $thisVersion["VERSION"] . ''; 49 | } 50 | } 51 | } 52 | function generateKey($length) 53 | { 54 | $length = 16; 55 | $bytes = openssl_random_pseudo_bytes($length); 56 | $hex = bin2hex($bytes); 57 | return $hex; 58 | } 59 | 60 | /* Data Conversion Functions */ 61 | function encryptData($data, $encryption_key) 62 | { 63 | $encryption_iv = hex2bin($encryption_key); 64 | return openssl_encrypt($data, "AES-128-CTR", $encryption_key, 0, $encryption_iv); 65 | } 66 | function decryptData($encryption_key) 67 | { 68 | $encryption_iv = hex2bin($encryption_key); 69 | return openssl_decrypt(getRecord("encrypted_contents", $encryption_key), "AES-128-CTR", $encryption_key, 0, $encryption_iv); 70 | } 71 | 72 | /* System Setup & Checking Functions */ 73 | function initialiseSystem() 74 | { 75 | function createStorageMethodEndpoints() 76 | { 77 | if (!is_dir("./local-storage/")) mkdir("./local-storage/"); // Create storage folder if not present 78 | if (!file_exists("./local-storage/.cache")) touch("./local-storage/.cache"); // Create cache file if not present 79 | if (!file_exists("./.config")) touch("./.config"); // Create config file if not present 80 | } 81 | function checkConfigValues() 82 | { 83 | $configuration = json_decode(file_get_contents("./.config", true), true); 84 | 85 | /* Config File Variables */ 86 | if ($configuration["STORAGE_METHOD"] == "") { 87 | $TEMP_STORAGE_METHOD = "mysql"; // Reset configuration to default value 88 | } else { 89 | $TEMP_STORAGE_METHOD = $configuration["STORAGE_METHOD"]; 90 | } 91 | if ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") { 92 | $TEMP_PATH = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://"; 93 | $TEMP_PATH .= $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"]; 94 | $TEMP_PATH = rtrim($TEMP_PATH, '/'); // Remove last slash from the new URL 95 | } else { // Webserver is using a custom port! 96 | $TEMP_PATH = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://"; 97 | $TEMP_PATH .= $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] . $_SERVER["REQUEST_URI"]; 98 | $TEMP_PATH = rtrim($TEMP_PATH, '/'); // Remove last slash from the new URL 99 | } 100 | if ($configuration["LANGUAGE"] == "") { 101 | $TEMP_LANGUAGE = "auto"; // Reset configuration to default value 102 | } else { 103 | $TEMP_LANGUAGE = $configuration["LANGUAGE"]; 104 | } 105 | if ($configuration["DEBUG_MODE"] == "") { 106 | $TEMP_DEBUGMODE = "false"; // Reset configuration to default value 107 | } else { 108 | $TEMP_DEBUGMODE = $configuration["DEBUG_MODE"]; 109 | } 110 | 111 | /* Config File If Empty Validation*/ 112 | if ($configuration["STORAGE_METHOD"] == "") { 113 | file_put_contents("./.config", json_encode(array("STORAGE_METHOD" => "$TEMP_STORAGE_METHOD", "LANGUAGE" => "$TEMP_LANGUAGE", "INSTALLATION_PATH" => "$TEMP_PATH", "DEBUG_MODE" => "$TEMP_DEBUGMODE"))); // Set contents of new config file 114 | } 115 | if ($configuration["INSTALLATION_PATH"] == "") { 116 | file_put_contents("./.config", json_encode(array("STORAGE_METHOD" => "$TEMP_STORAGE_METHOD", "LANGUAGE" => "$TEMP_LANGUAGE", "INSTALLATION_PATH" => "$TEMP_PATH", "DEBUG_MODE" => "$TEMP_DEBUGMODE"))); // Set contents of new config file 117 | } 118 | if ($configuration["LANGUAGE"] == "") { 119 | file_put_contents("./.config", json_encode(array("STORAGE_METHOD" => "$TEMP_STORAGE_METHOD", "LANGUAGE" => "$TEMP_LANGUAGE", "INSTALLATION_PATH" => "$TEMP_PATH", "DEBUG_MODE" => "$TEMP_DEBUGMODE"))); // Set contents of new config file 120 | } 121 | if ($configuration["DEBUG_MODE"] == "") { 122 | file_put_contents("./.config", json_encode(array("STORAGE_METHOD" => "$TEMP_STORAGE_METHOD", "LANGUAGE" => "$TEMP_LANGUAGE", "INSTALLATION_PATH" => "$TEMP_PATH", "DEBUG_MODE" => "$TEMP_DEBUGMODE"))); // Set contents of new config file 123 | } 124 | } 125 | function setupStorageMethod() 126 | { 127 | $cache = json_decode(file_get_contents("./local-storage/.cache", true), true); 128 | $configuration = json_decode(file_get_contents("./.config", true), true); 129 | 130 | if (strtolower($configuration["STORAGE_METHOD"]) == "mysql") { 131 | if (!file_exists("./Modules/Database.env")) { 132 | touch("./Modules/Database.env"); // Create database configuration file 133 | require "./Public/error_docs/DatabaseConfig.php"; 134 | die(); 135 | } else { 136 | $json = json_decode(file_get_contents("./Modules/Database.env", true), true); 137 | if ($json["DATABASE"] == "" || $json["HOSTNAME"] == "") { 138 | require "./Public/error_docs/DatabaseConfig.php"; 139 | die(); 140 | } else { // Test database connection 141 | $conn = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); 142 | if ($conn->connect_error) { 143 | require "./Public/error_docs/DatabaseCredentials.php"; // throw error page if invalid credentials 144 | die(); 145 | } else { 146 | $cache = json_decode(file_get_contents("./local-storage/.cache"), true); 147 | if ($cache["DO-NOT-TOUCH:database_installation_status"] == "false" || !isset($cache["DO-NOT-TOUCH:database_installation_status"])) { 148 | $tableCreateSQL = "CREATE TABLE IF NOT EXISTS `quickblaze_records` (`record_id` int(11) NOT NULL, `encrypted_contents` longtext NOT NULL, `encryption_token` varchar(128) NOT NULL, `source_ip` varchar(100) NOT NULL, `record_date` timestamp(5) NOT NULL DEFAULT current_timestamp(5)) ENGINE=InnoDB DEFAULT CHARSET=utf8;"; 149 | $addPrimaryKeySQL = "ALTER TABLE `quickblaze_records` ADD PRIMARY KEY (`record_id`);"; 150 | if ($conn->query($tableCreateSQL)) { 151 | if ($conn->query($addPrimaryKeySQL)) { 152 | file_put_contents("./local-storage/.cache", '{"DO-NOT-TOUCH:database_installation_status": "true"}'); 153 | } 154 | } else { 155 | require "./Public/error_docs/DatabaseCredentials.php"; // throw error page if invalid credentials 156 | die(); 157 | } 158 | } 159 | // Always reset auto-increment 160 | if (!$conn->query("ALTER TABLE `quickblaze_records` MODIFY `record_id` int(11) NOT NULL AUTO_INCREMENT;")) { 161 | require "./Public/error_docs/DatabaseConfig.php"; // throw error page if invalid credentials 162 | die(); 163 | } 164 | } 165 | $conn->close(); 166 | } 167 | } 168 | } else if (strtolower($configuration["STORAGE_METHOD"]) == "filetree") { 169 | $baseStorageFolder = "./local-storage"; 170 | if (!is_dir("$baseStorageFolder/")) mkdir("$baseStorageFolder/"); 171 | if (!is_dir("$baseStorageFolder/encryptions/")) mkdir("$baseStorageFolder/encryptions/"); 172 | } else { // Server storage method not set 173 | require "./Public/error_docs/ServerConfiguration.php"; // throw error page if invalid configuration 174 | die(); 175 | } 176 | } 177 | 178 | /* Call Functions */ 179 | createStorageMethodEndpoints(); // Setup files and folders the system will store data. 180 | checkConfigValues(); // Validate if configuration values are correct & present. 181 | setupStorageMethod(); // Setup how the system will store the data via the configured method. 182 | /* End Functions */ 183 | } 184 | 185 | /* Database Interaction Functions */ 186 | function insertRecord($encrypted_contents, $encryption_token) 187 | { 188 | $configuration = json_decode(file_get_contents("./.config", true), true); 189 | $json = json_decode(file_get_contents("./Modules/Database.env", true), true); 190 | if ($_SERVER['HTTP_CF_CONNECTING_IP'] == "" || !isset($_SERVER['HTTP_CF_CONNECTING_IP'])) $_SERVER['HTTP_CF_CONNECTING_IP'] = $_SERVER["REMOTE_ADDR"]; 191 | if (strtolower($configuration["STORAGE_METHOD"]) == "mysql") { 192 | $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); 193 | if ($mysqli->connect_errno) { 194 | require "./Public/error_docs/DatabaseCredentials.php"; 195 | die(); 196 | } 197 | $source_ip = filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP) ?? filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP); 198 | $record_date = date("Y-m-d H:i:s"); 199 | if ($mysqli->query("INSERT INTO `quickblaze_records` (`encrypted_contents`, `encryption_token`, `source_ip`, `record_date`) VALUES ('$encrypted_contents', '$encryption_token', '$source_ip', '$record_date');") === TRUE) { 200 | return true; 201 | } else { 202 | die($mysqli->error); 203 | } 204 | $mysqli->close(); 205 | } elseif (strtolower($configuration["STORAGE_METHOD"]) == "filetree") { 206 | $baseStorageFolder = "./local-storage"; 207 | $uniqueIdentifier = uniqid($encryption_token); // Assign ID to new storage folder 208 | if (!is_dir("$baseStorageFolder/encryptions/$uniqueIdentifier/")) mkdir("$baseStorageFolder/encryptions/$uniqueIdentifier/"); // Create temporary unique folder with ID 209 | if (!file_exists("$baseStorageFolder/encryptions/$uniqueIdentifier/data.json")) touch("$baseStorageFolder/encryptions/$uniqueIdentifier/data.json"); // Create encryption data file 210 | $source_ip = filter_var($_SERVER['HTTP_CF_CONNECTING_IP'], FILTER_VALIDATE_IP) ?? filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP); 211 | $record_date = date("Y-m-d H:i:s"); 212 | file_put_contents("$baseStorageFolder/encryptions/$uniqueIdentifier/data.json", '{"filestore_id": "' . $uniqueIdentifier . '", "encrypted_contents": "' . $encrypted_contents . '", "encryption_token": "' . $encryption_token . '", "source_ip": "' . $source_ip . '", "record_date": "' . $record_date . '"}'); // Set data file encryption data 213 | } else { 214 | require "./Public/error_docs/ServerConfiguration.php"; // throw error page if invalid configuration 215 | die(); 216 | } 217 | } 218 | function destroyRecord($token) 219 | { 220 | $configuration = json_decode(file_get_contents("./.config", true), true); 221 | $json = json_decode(file_get_contents("./Modules/Database.env", true), true); 222 | if (strtolower($configuration["STORAGE_METHOD"]) == "mysql") { 223 | $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); 224 | if ($mysqli->connect_errno) { 225 | require "./Public/error_docs/DatabaseCredentials.php"; 226 | die(); 227 | } 228 | $token = filter_var($token, FILTER_SANITIZE_FULL_SPECIAL_CHARS); 229 | if ($mysqli->query("DELETE FROM `quickblaze_records` WHERE `encryption_token` = '$token';") === TRUE) { 230 | return true; 231 | } else { 232 | die($mysqli->error); 233 | } 234 | $mysqli->close(); 235 | } elseif (strtolower($configuration["STORAGE_METHOD"]) == "filetree") { 236 | $baseStorageFolder = "./local-storage"; 237 | $dir = new DirectoryIterator("$baseStorageFolder/encryptions/"); 238 | foreach ($dir as $fileinfo) { 239 | if ($fileinfo->isDir() && !$fileinfo->isDot()) { // $fileinfo->getFilename() 240 | $theFile = json_decode(file_get_contents("$baseStorageFolder/encryptions/" . $fileinfo->getFilename() . "/data.json", true), true); 241 | if ($theFile["encryption_token"] == $token) { 242 | function rmdir_recursive($dir) 243 | { 244 | foreach (scandir($dir) as $file) { 245 | if ('.' === $file || '..' === $file) continue; 246 | if (is_dir("$dir/$file")) rmdir_recursive("$dir/$file"); 247 | else unlink("$dir/$file"); 248 | } 249 | rmdir($dir); 250 | } 251 | rmdir_recursive("$baseStorageFolder/encryptions/" . $fileinfo->getFilename()); 252 | } 253 | } 254 | } 255 | } else { // Server storage method not set 256 | require "./Public/error_docs/ServerConfiguration.php"; // throw error page if invalid configuration 257 | die(); 258 | } 259 | } 260 | function getRecord($dataToFetch, $encryption_token) 261 | { 262 | $configuration = json_decode(file_get_contents("./.config", true), true); 263 | $json = json_decode(file_get_contents("./Modules/Database.env", true), true); 264 | if (strtolower($configuration["STORAGE_METHOD"]) == "mysql") { 265 | $mysqli = new mysqli($json["HOSTNAME"], $json["USERNAME"], $json["PASSWORD"], $json["DATABASE"]); 266 | if ($mysqli->connect_errno) { 267 | require "./Public/error_docs/DatabaseCredentials.php"; 268 | die(); 269 | } 270 | $encryption_token = filter_var($encryption_token, FILTER_SANITIZE_FULL_SPECIAL_CHARS); 271 | $result = $mysqli->query("SELECT `$dataToFetch` FROM `quickblaze_records` WHERE `encryption_token` = '$encryption_token'"); 272 | if ($result->num_rows > 0) { 273 | while ($row = $result->fetch_assoc()) { 274 | return $row[$dataToFetch]; 275 | } 276 | } else { 277 | return false; 278 | } 279 | $mysqli->close(); 280 | } elseif (strtolower($configuration["STORAGE_METHOD"]) == "filetree") { 281 | $baseStorageFolder = "./local-storage"; 282 | $dir = new DirectoryIterator("$baseStorageFolder/encryptions/"); 283 | foreach ($dir as $fileinfo) { 284 | if ($fileinfo->isDir() && !$fileinfo->isDot()) { // $fileinfo->getFilename() 285 | $theFile = json_decode(file_get_contents("$baseStorageFolder/encryptions/" . $fileinfo->getFilename() . "/data.json", true), true); 286 | if ($theFile["encryption_token"] == $encryption_token) { 287 | return $theFile[$dataToFetch]; 288 | } 289 | } 290 | } 291 | } else { // Server storage method not set 292 | require "./Public/error_docs/ServerConfiguration.php"; // throw error page if invalid configuration 293 | die(); 294 | } 295 | } 296 | 297 | /* Translation Feature */ 298 | function translate($q) 299 | { 300 | $lang = "en"; // Default language 301 | $configuration = json_decode(file_get_contents("./.config", true), true); 302 | if ($configuration["LANGUAGE"] == "auto") { 303 | $tl = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 2); 304 | } else if ($configuration["LANGUAGE"] != "") { 305 | $tl = $configuration["LANGUAGE"]; 306 | } else { 307 | $tl = "en"; 308 | } 309 | $res = file_get_contents("https://translate.googleapis.com/translate_a/single?client=gtx&ie=UTF-8&oe=UTF-8&dt=bd&dt=ex&dt=ld&dt=md&dt=qca&dt=rw&dt=rm&dt=ss&dt=t&dt=at&sl=" . $lang . "&tl=" . $tl . "&hl=hl&q=" . urlencode($q), $_SERVER['DOCUMENT_ROOT'] . "/transes.html"); 310 | $res = json_decode($res); 311 | return $res[0][0][0]; 312 | } 313 | -------------------------------------------------------------------------------- /Public/assets/css/error.css: -------------------------------------------------------------------------------- 1 | @import url("https://fonts.googleapis.com/css?family=Lato"); 2 | 3 | * { 4 | position: relative; 5 | margin: 0; 6 | padding: 0; 7 | box-sizing: border-box; 8 | font-family: "Lato", sans-serif; 9 | } 10 | 11 | body { 12 | height: 100vh; 13 | display: flex; 14 | flex-direction: column; 15 | justify-content: center; 16 | align-items: center; 17 | } 18 | 19 | h1 { 20 | margin: 40px 0 20px; 21 | } 22 | 23 | .lock { 24 | border-radius: 5px; 25 | width: 55px; 26 | height: 45px; 27 | background-color: #333; 28 | animation: dip 1s; 29 | animation-delay: 1.5s; 30 | } 31 | 32 | .lock::before, 33 | .lock::after { 34 | content: ""; 35 | position: absolute; 36 | border-left: 5px solid #333; 37 | height: 20px; 38 | width: 15px; 39 | left: calc(50% - 12.5px); 40 | } 41 | 42 | .lock::before { 43 | top: -30px; 44 | border: 5px solid #333; 45 | border-bottom-color: transparent; 46 | border-radius: 15px 15px 0 0; 47 | height: 30px; 48 | animation: lock 2s, spin 2s; 49 | } 50 | 51 | .lock::after { 52 | top: -10px; 53 | border-right: 5px solid transparent; 54 | animation: spin 2s; 55 | } 56 | 57 | @keyframes lock { 58 | 0% { 59 | top: -45px; 60 | } 61 | 62 | 65% { 63 | top: -45px; 64 | } 65 | 66 | 100% { 67 | top: -30px; 68 | } 69 | } 70 | 71 | @keyframes spin { 72 | 0% { 73 | transform: scaleX(-1); 74 | left: calc(50% - 30px); 75 | } 76 | 77 | 65% { 78 | transform: scaleX(1); 79 | left: calc(50% - 12.5px); 80 | } 81 | } 82 | 83 | @keyframes dip { 84 | 0% { 85 | transform: translateY(0px); 86 | } 87 | 88 | 50% { 89 | transform: translateY(10px); 90 | } 91 | 92 | 100% { 93 | transform: translateY(0px); 94 | } 95 | } -------------------------------------------------------------------------------- /Public/assets/css/style.css: -------------------------------------------------------------------------------- 1 | html, 2 | body { 3 | height: 100%; 4 | } 5 | 6 | body { 7 | display: flex; 8 | align-items: center; 9 | padding-top: 40px; 10 | padding-bottom: 40px; 11 | } 12 | 13 | textarea { 14 | width: 300px; 15 | height: 150px; 16 | } 17 | 18 | .submit-button { 19 | width: 35%; 20 | margin-top: 20px; 21 | } 22 | 23 | .main-form { 24 | width: 100%; 25 | max-width: 600px; 26 | padding: 15px; 27 | margin: auto; 28 | } 29 | 30 | .main-form .checkbox { 31 | font-weight: 400; 32 | } 33 | 34 | .main-form .form-icon { 35 | padding-bottom: 15px; 36 | --fa-animation-duration: 3.5s 37 | } 38 | 39 | .main-form .form-floating:focus-within { 40 | z-index: 2; 41 | } 42 | 43 | .no-decoration { 44 | text-decoration: none; 45 | } 46 | 47 | /* The snackbar - position it at the bottom and in the middle of the screen */ 48 | #snackbar, 49 | #snackbarError { 50 | visibility: hidden; 51 | /* Hidden by default. Visible on click */ 52 | min-width: 250px; 53 | /* Set a default minimum width */ 54 | margin-left: -125px; 55 | /* Divide value of min-width by 2 */ 56 | background-color: #333; 57 | /* Black background color */ 58 | color: #fff; 59 | /* White text color */ 60 | text-align: center; 61 | /* Centered text */ 62 | border-radius: 2px; 63 | /* Rounded borders */ 64 | padding: 16px; 65 | /* Padding */ 66 | position: fixed; 67 | /* Sit on top of the screen */ 68 | z-index: 1; 69 | /* Add a z-index if needed */ 70 | left: 50%; 71 | /* Center the snackbar */ 72 | bottom: 30px; 73 | /* 30px from the bottom */ 74 | } 75 | 76 | /* Show the snackbar when clicking on a button (class added with JavaScript) */ 77 | #snackbar.show, 78 | #snackbarError.show { 79 | visibility: visible; 80 | /* Show the snackbar */ 81 | /* Add animation: Take 0.5 seconds to fade in and out the snackbar. 82 | However, delay the fade out process for 2.5 seconds */ 83 | -webkit-animation: fadein 0.5s, fadeout 0.5s 2.5s; 84 | animation: fadein 0.5s, fadeout 0.5s 2.5s; 85 | } 86 | 87 | /* Animations to fade the snackbar in and out */ 88 | @-webkit-keyframes fadein { 89 | from { 90 | bottom: 0; 91 | opacity: 0; 92 | } 93 | 94 | to { 95 | bottom: 30px; 96 | opacity: 1; 97 | } 98 | } 99 | 100 | @keyframes fadein { 101 | from { 102 | bottom: 0; 103 | opacity: 0; 104 | } 105 | 106 | to { 107 | bottom: 30px; 108 | opacity: 1; 109 | } 110 | } 111 | 112 | @-webkit-keyframes fadeout { 113 | from { 114 | bottom: 30px; 115 | opacity: 1; 116 | } 117 | 118 | to { 119 | bottom: 0; 120 | opacity: 0; 121 | } 122 | } 123 | 124 | @keyframes fadeout { 125 | from { 126 | bottom: 30px; 127 | opacity: 1; 128 | } 129 | 130 | to { 131 | bottom: 0; 132 | opacity: 0; 133 | } 134 | } -------------------------------------------------------------------------------- /Public/assets/img/favicon-1000x1000.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/0628b76c5aa80a0be86873965ed46cac659abfd1/Public/assets/img/favicon-1000x1000.png -------------------------------------------------------------------------------- /Public/assets/img/favicon-100x100.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/0628b76c5aa80a0be86873965ed46cac659abfd1/Public/assets/img/favicon-100x100.png -------------------------------------------------------------------------------- /Public/assets/img/favicon-255x255.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/0628b76c5aa80a0be86873965ed46cac659abfd1/Public/assets/img/favicon-255x255.png -------------------------------------------------------------------------------- /Public/assets/img/favicon-500x500.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/0628b76c5aa80a0be86873965ed46cac659abfd1/Public/assets/img/favicon-500x500.png -------------------------------------------------------------------------------- /Public/assets/img/favicon-50x50.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/0628b76c5aa80a0be86873965ed46cac659abfd1/Public/assets/img/favicon-50x50.png -------------------------------------------------------------------------------- /Public/assets/js/autoConfigurationChecks.js: -------------------------------------------------------------------------------- 1 | function autoRecheckConfig(pageName) { 2 | fetch(`dataProcessing?action=checkConfig`).then(response => response.json()).then(data => { 3 | log(`[RE-CHECK] Server responded with ${data.response}`); 4 | if(data.response == "true"){ 5 | window.location.replace("./"); 6 | } 7 | }); 8 | setTimeout(autoRecheckConfig, 3000); 9 | } 10 | var path = window.location.pathname; 11 | var page = path.split("/").pop(); 12 | autoRecheckConfig(page); -------------------------------------------------------------------------------- /Public/assets/js/buttonCopyURL.js: -------------------------------------------------------------------------------- 1 | function copyToClipboard(element) { 2 | let $temp = $(''); 3 | $('body').append($temp); 4 | $temp.val($(element).text()).select(); 5 | document.execCommand('copy'); 6 | showSnackBar('snackbar'); // show snackbar notification 7 | log(`Copied text to clipboard`); 8 | $temp.remove(); 9 | } 10 | 11 | function showSnackBar(snackbarId) { 12 | var element = document.getElementById(`${snackbarId}`); 13 | element.className = element.className.replace('', 'show'); 14 | log(`Displaying snackbar for ${3000}ms`); 15 | setTimeout(function () { element.className = element.className.replace("show", ""); }, 3000); 16 | } -------------------------------------------------------------------------------- /Public/assets/js/formContentUpdate.js: -------------------------------------------------------------------------------- 1 | function updateFormDisplay() { 2 | const formvalue = document.getElementById('inputtextbot').value; // Assign variable to the current value of the textbox 3 | $('#form_input').fadeOut('fast'); // fade out previous content 4 | log(`No longer showing 'form_input' element`); 5 | function fetchData() { 6 | return fetch(`dataProcessing?action=submit&data=${formvalue}`) 7 | .then((response) => response.json()) 8 | .then((responseData) => { 9 | return responseData; 10 | }).catch(error => log(error, 'warn')); 11 | } 12 | fetchData().then(data => { 13 | log(`Server responsed with '${data.response}'`); 14 | document.getElementById('submissiontextbox').value = `${window.location}view?key=${data.response}`; // Set text box to view message URL 15 | log(`Updated 'submissiontextbox.value'`); 16 | document.getElementById('submissiontextbox').innerHTML = `${window.location}view?key=${data.response}`; // Set text box to view message URL 17 | log(`Updated 'submissiontextbox.innerHTML'`); 18 | }); 19 | setTimeout(() => { 20 | $('#form_submission').fadeIn('fast'); // fade in new content 21 | log(`Now showing 'form_submission' element`); 22 | }, 200); 23 | } 24 | 25 | function updateViewDisplay() { 26 | $('#form_confirmation').fadeOut('fast'); // fade out previous content 27 | log(`No longer showing 'form_confirmation' element`); 28 | 29 | let key = new URL(window.location).searchParams.get('key'); // Get key variable from URL; replacing PHP usage 30 | log(`Got key variable from url -> ${key}`); 31 | 32 | fetch(`dataProcessing?action=decrypt&key=${key}`).then(response => response.json()).then(data => { 33 | if (!data.response) { 34 | showSnackBar('snackbarError'); 35 | $('#form_error').fadeIn('fast'); // fade in new content 36 | log(`Now showing 'form_error' element`); 37 | log(`Encryption not found; redirecting in 2s`); 38 | setTimeout(() => { 39 | window.location.replace('./'); // Redirect to home page 40 | }, 2000); 41 | } else { 42 | document.getElementById('valuetextbox').value = data.response; // Set text box to decrypted message 43 | log(`Updated 'valuetextbox.value'`); 44 | document.getElementById('valuetextbox').innerHTML = data.response; // Set text box to decrypted message 45 | log(`Updated 'valuetextbox.innerHTML'`); 46 | setTimeout(() => { 47 | $('#form_content').fadeIn('fast'); // fade in new content 48 | log(`Now showing 'form_content' element`); 49 | }, 200); 50 | log(`Server responded with '${data.response}'`); 51 | }; 52 | }); 53 | } -------------------------------------------------------------------------------- /Public/assets/js/globalFunctions.js: -------------------------------------------------------------------------------- 1 | document.addEventListener('DOMContentLoaded', function () { 2 | fetch(`dataProcessing?action=isDebugMode`).then(response => response.json()).then(data => { 3 | if (data.response == "false") { 4 | console.log( 5 | `[${moment().format('hh:mm:ss')}] [Initialisation/DEBUG] Debug mode is disabled!` 6 | ); 7 | } 8 | }); 9 | log(`${moment()}`, `Initialisation/DEBUG`); 10 | log(`Successfully loaded all assets`, `Initialisation/DEBUG`); 11 | }, false); 12 | 13 | function addDarkmodeWidget() { 14 | const options = { 15 | time: '0.0s', // default: '0.3s' 16 | saveInCookies: true, // default: true, 17 | label: '🌛', // default: '' 18 | } 19 | const darkmode = new Darkmode(options); 20 | darkmode.showWidget(); 21 | } 22 | document.addEventListener('DOMContentLoaded', function () { 23 | addDarkmodeWidget(); log(`Initialized darkmode widget`, `Initialisation/DEBUG`); 24 | }) 25 | 26 | function log(content, type = null) { 27 | fetch(`dataProcessing?action=isDebugMode`).then(response => response.json()).then(data => { 28 | if (data.response == "true") { 29 | if (!type) { 30 | console.log( 31 | `[${moment().format('hh:mm:ss')}] [Site Debug/INFO] ${content}` 32 | ); 33 | } else { 34 | if(type == "warn"){ 35 | console.warn( 36 | `[${moment().format('hh:mm:ss')}] ${content}` 37 | ); 38 | } else{ 39 | console.log( 40 | `[${moment().format('hh:mm:ss')}] [${type}] ${content}` 41 | ); 42 | } 43 | } 44 | } 45 | }); 46 | } 47 | -------------------------------------------------------------------------------- /Public/dataProcessing.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 |
    19 | 20 |
    21 |

    22 |

    23 |
    24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Public/error_docs/404.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 |

    404

    21 |
    22 |
    23 | 24 |

    25 | GitHub • 26 | Discord • 27 | 28 |

    29 |
    30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | -------------------------------------------------------------------------------- /Public/error_docs/500.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 |

    500

    21 |
    22 |
    23 | 24 |

    25 | GitHub • 26 | Discord • 27 | 28 |

    29 |
    30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /Public/error_docs/DatabaseConfig.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 |
    21 | 22 |
    23 |
    24 |

    25 |
    26 |
    27 |

    28 | 29 |
    30 |

    31 | GitHub • 32 | Discord • 33 | 34 |

    35 |
    36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /Public/error_docs/DatabaseCredentials.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 |
    21 | 22 |
    23 |
    24 |

    25 |
    26 |
    27 |

    28 | 29 |
    30 | 31 |

    32 | GitHub • 33 | Discord • 34 | 35 |

    36 |
    37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /Public/error_docs/ServerConfiguration.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 |
    21 | 22 |
    23 |
    24 |

    25 |
    26 |
    27 |

    28 | 29 |
    30 |

    31 | GitHub • 32 | Discord • 33 | 34 |

    35 |
    36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /Public/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 | 21 | QuickBlaze Encrypt 22 |

    QuickBlaze

    23 |
    One time view encrypted message sharing system
    24 |

    25 | 26 | 27 |
    28 | 29 |
    30 | 33 |
    34 | 35 | 48 | 49 |

    50 | GitHub • 51 | Discord • 52 | 53 |

    54 | 55 | 56 |
    57 | 58 | 59 |
    60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /Public/view.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | "> 9 | QuickBlaze 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
    20 |
    21 | QuickBlaze Encrypt 22 |

    QuickBlaze

    23 |
    24 |

    25 | 26 | 27 |
    28 |
    29 | 30 |
    31 | 34 |
    35 | 36 | 49 | 50 | 57 | 58 |

    59 | GitHub • 60 | Discord • 61 | 62 |

    63 | 64 |
    65 |
    66 | 67 | 68 |
    69 |
    70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

    QuickBlaze Encryption 👋

    2 | 3 |

    4 | GitHub release (latest by date) 5 | 6 | License: MIT 7 | 8 | 9 | 10 | Discord: axtonprice 11 | 12 |

    13 | 14 | > An extremely simple, one-time view encryption system. Send links anywhere on the internet, and the encrypted message will automatically be destroyed after being viewed once! 15 | 16 | ### ✨ Click to view Demo 17 | 18 | ## Requirements 19 | 20 | - Accessible webserver with PHP support. 21 | - PHP v7 or higher. 22 | - PHP [MBSTRING](http://php.net/manual/en/book.mbstring.php) module for full UTF-8 support. 23 | - PHP [JSON](http://php.net/manual/en/book.json.php) module for JSON manipulation 24 | 25 | ## Installation 26 | 27 | 1. Download the latest version from the releases page. 28 | 2. Upload and extract the contents to your web server. You can also pull the repo with `git pull`. 29 | 3. Visit your domain installation directory or subdomain https://example.com/quickblaze-encrypt/ 30 | 31 | #### Extra: *If using MYSQL as storage method:* 32 | 36 | 37 | ⚠️ *Don't delete the `.version`, `.config`, or `.cache` files once the installation has completed! They contain necessary version data, configuration data; removing them **will** cause issues!* 38 | 39 | ## System Configurations 40 | Example configuration layout of `Modules/Database.env`: 41 | ```json 42 | { 43 | "HOSTNAME": "mysql.example.com", 44 | "USERNAME": "admin", 45 | "PASSWORD": "admin123", 46 | "DATABASE": "quickblaze_db" 47 | } 48 | ``` 49 | Example configuration of `.config`: 50 | ```json 51 | { 52 | "STORAGE_METHOD": "mysql", 53 | "LANGUAGE": "en", 54 | "INSTALLATION_PATH": "https://your-site.dev/quickblaze-encrypt" 55 | } 56 | ``` 57 | ⚠️ *Do not include a trailing slash for the installation path!* 58 | 59 | ## How it Works 60 | 61 | The user enters the message they would like to encrypt. The system then securely encrypts the message and generates, and returns, an encryption key integrated into a shareable URL. *The key can be used to decrypt the encrypted message.* The system then creates a new record via the chosen storage method, containing the encrypted data and the encryption key. As soon as the decryption function is called upon, the encryption record will automatically be deleted. This means the encrypted data is now permanently lost and cannot be viewed or accessed. 62 |

    63 | ⚠️ *Keep your URL safe, it contains the encryption key! Exposing the URL means anybody will be able to view the encrypted message!* 64 | 65 | ## Screenshots 66 | 67 |

    68 | 69 | 70 | 71 |

    72 | 73 | ## Authors and Contributors 74 | 75 | 👤 **axtonprice** - Main Author 76 | 77 | * Discord: https://discord.gg/dP3MuBATGc 78 | * Twitter: [@axtonprice](https://twitter.com/axtonprice) 79 | * Github: [@axtonprice](https://github.com/axtonprice) 80 | 81 | ## Show your support 82 | 83 | If you like this project, give a ⭐️ to support us! 84 | 85 | ## 📝 License 86 | 87 | Copyright © 2022 [axtonprice](https://github.com/axtonprice).
    88 | This project is [MIT](https://github.com/arizon-dev/quickblaze-encrypt/blob/main/LICENSE) licensed. 89 | 90 |
    91 | 92 | 93 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # QuickBlaze Security Policy 2 | 3 | ## Supported Versions 4 | 5 | | Version | Supported | 6 | | ---------- | ----------------- | 7 | | ![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/arizon-dev/quickblaze-encrypt?label=%20&style=flat-square) => | ✅ | 8 | | < GitHub release (latest by date) | ❌ | 9 | 10 | >Versions below the latest release are not supported. We will not be providing support for them and suggestions, bug reports and other requests will beautomatically ignored* 11 | 12 | ## Reports & Submissions 13 | 14 | Please report all security vulnerabilities, bug reports, and suggestions to either the GitHub [issues](https://github.com/arizon-dev/quickblaze-encrypt/issues) page, [discussion](https://github.com/arizon-dev/quickblaze-encrypt/discussions) page, or the community [Discord server](https://discord.gg/dP3MuBATGc). 15 | You can also directly contact the project's lead developer via Discord DM's, in order to manually report bugs & issues or suggestions. 16 | 17 | 👤 **axtonprice** - Lead Developer 18 | 19 | * Discord: `Axton P.#1234` 20 | 21 | Thank you. -------------------------------------------------------------------------------- /actions.yml: -------------------------------------------------------------------------------- 1 | - name: Automatic Semver Release 2 | uses: rui-costa/action-automatic-semver-releases@1.1.0 -------------------------------------------------------------------------------- /favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/arizon-dev/quickblaze-encrypt/0628b76c5aa80a0be86873965ed46cac659abfd1/favicon.ico -------------------------------------------------------------------------------- /index.php: -------------------------------------------------------------------------------- 1 |