Twig templates should not have syntax errors 2

  • Critical
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/twig.twig_syntax_error

  1. $('#config select').change(function() {
  2. $(this).parent().submit();
  3. });
  4. {% if isWriteable is sameas(true) %}

    Unknown "sameas" test. Did you mean "same as"?

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Stijn Vrolijk
  5. $('textarea')
  6. .blur(function() {
  7. var self = this;
  8. $.ajax(updateMessagePath + '?id=' + encodeURIComponent($(this).data('id')), {
  9. type: 'POST',
  1. <div class="col-sm-2">
  2. <a class="jms-translation-anchor" id="{{ id }}" />
  3. <abbr title="{{ id }}">{{ id|truncate(20) }}</abbr>
  4. </div>
  5. <div class="col-sm-5">
  6. <textarea data-id="{{ id }}" class="form-control"{% if isWriteable is sameas(false) %} readonly="readonly"{% endif %}>{{ message.localeString }}</textarea>

    Unknown "sameas" test. Did you mean "same as"?

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Stijn Vrolijk
  7. </div>
  8. <div class="col-sm-5">
  9. {% if message.meaning is not empty %}
  10. <h6>Meaning</h6>
  11. <p>{{ message.meaning }}</p>

Website should be protected against XSSVulnerability 12

  • Critical
  • Security

More information: https://insight.sensiolabs.com/what-we-analyse/twig.xss_vulnerability

  1. <html xmlns="http://www.w3.org/1999/xhtml">
  2. <head>
  3. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  4. <meta name="viewport" content="width=device-width" />
  5. <style>
  6. {{ css|raw }}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  7. </style>
  8. </head>
  9. <body>
  10. <style>
  11. {{ css|raw }}
  1. {{ css|raw }}
  2. </style>
  3. </head>
  4. <body>
  5. <style>
  6. {{ css|raw }}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  7. </style>
  8. <table class="body">
  9. <tr>
  10. <td class="center" align="center" valign="top">
  11. <center>
  1. <td class="wrapper last">
  2. <table class="twelve columns">
  3. <tr>
  4. <td class="text-pad">
  5. {% block content %}
  6. {{ content|raw }}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  7. {% endblock %}
  8. </td>
  9. <td class="expander"></td>
  10. </tr>
  11. </table>
  1. <link rel="stylesheet" href="{{ asset('assets/css/style.css') }}" />
  2. {% endblock %}
  3. {% block head_javascripts %}
  4. <script type="text/javascript">
  5. var jsData = {{ jsData|raw }};

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by woutersioen
  6. </script>
  7. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
  8. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script>
  9. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.3/modernizr.min.js"></script>
  1. <link rel="stylesheet" href="{{ asset('assets/css/style.css') }}" />
  2. {% endblock %}
  3. {% block head_javascripts %}
  4. <script type="text/javascript">
  5. var jsData = {{ jsData|raw }};

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by woutersioen
  6. </script>
  7. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
  8. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js"></script>
  9. <script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.8.3/modernizr.min.js"></script>
  1. {% endif %}
  2. {% set attr = attr|merge({'class': attr.class|default('inline')}) %}
  3. {% set year_widget = form_widget(form.year, {'attr': {'class': attr.widget_class|default('') ~ 'year',}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  4. {% set month_widget = form_widget(form.month, {'attr': {'class': attr.widget_class|default('') ~ 'month'}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  5. {% set day_widget = form_widget(form.day, {'attr': {'class': attr.widget_class|default('') ~ 'day'}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  6. <div class="col-md-2">{{day_widget|raw}}</div>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Bjorn
  7. <span class="pull-left date-separator">{{ devider }}</span>
  8. <div class="col-md-2">{{month_widget|raw}}</div>
  9. <span class="pull-left date-separator">{{ devider }}</span>
  10. <div class="col-md-2">{{year_widget|raw}}</div>
  11. {% if dont_render_row is not defined or not dont_render_row %}
  1. {% set year_widget = form_widget(form.year, {'attr': {'class': attr.widget_class|default('') ~ 'year',}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  2. {% set month_widget = form_widget(form.month, {'attr': {'class': attr.widget_class|default('') ~ 'month'}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  3. {% set day_widget = form_widget(form.day, {'attr': {'class': attr.widget_class|default('') ~ 'day'}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  4. <div class="col-md-2">{{day_widget|raw}}</div>
  5. <span class="pull-left date-separator">{{ devider }}</span>
  6. <div class="col-md-2">{{month_widget|raw}}</div>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Bjorn
  7. <span class="pull-left date-separator">{{ devider }}</span>
  8. <div class="col-md-2">{{year_widget|raw}}</div>
  9. {% if dont_render_row is not defined or not dont_render_row %}
  10. </div>
  11. {% endif %}
  1. {% set day_widget = form_widget(form.day, {'attr': {'class': attr.widget_class|default('') ~ 'day'}, 'horizontal_input_wrapper_class': horizontal_input_wrapper_class|default('col-sm-3')}) %}
  2. <div class="col-md-2">{{day_widget|raw}}</div>
  3. <span class="pull-left date-separator">{{ devider }}</span>
  4. <div class="col-md-2">{{month_widget|raw}}</div>
  5. <span class="pull-left date-separator">{{ devider }}</span>
  6. <div class="col-md-2">{{year_widget|raw}}</div>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Bjorn
  7. {% if dont_render_row is not defined or not dont_render_row %}
  8. </div>
  9. {% endif %}
  10. {% endif %}
  11. {% endspaceless %}
  1. <div {% for attrname,attrvalue in widget_form_group_attr %} {{attrname}}="{{attrvalue}}"{% endfor %}>
  2. {# Add initial prototype form #}
  3. {% if form.vars.value|length == 0 and prototype is defined %}
  4. {% for name in prototype_names %}
  5. {{ prototype_markup|replace({'__name__': name})|raw }}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by woutersioen
  6. {% endfor %}
  7. {% endif %}
  8. {{ block('form_widget') }}
  9. </div>
  1. {% block form_row %}
  2. {% spaceless %}
  3. {% if 'tab' in form.vars.block_prefixes %}
  4. {{ block('form_tab') }}
  5. {% elseif embed_form is same as(true) %}
  6. {% if widget_prefix is not empty %}{{ widget_prefix|trans({}, translation_domain)|raw }}{% endif %} {{ form_widget(form, _context) }} {% if widget_suffix is not empty %}{{ widget_suffix|trans({}, translation_domain)|raw }}{% endif %}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Bruno Vitorino
  7. {% else %}
  8. {{ block('widget_form_group_start') }}
  9. {% if horizontal and not label_render %}
  10. {% set horizontal_input_wrapper_class = horizontal_input_wrapper_class ~ ' ' ~ horizontal_label_offset_class %}
  1. {% if horizontal %}
  2. <div class="{{ horizontal_input_wrapper_class }}">
  3. {% endif %}
  4. {% if widget_prefix is not empty %}{{ widget_prefix|trans({}, translation_domain)|raw }}{% endif %} {{ form_widget(form, _context) }} {% if widget_suffix is not empty %}{{ widget_suffix|trans({}, translation_domain)|raw }}{% endif %}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Bruno Vitorino
  5. {% set type = type|default('text') %}
  6. {% if type != 'hidden' %}
  7. {{ block('form_message') }}
  8. {% endif %}
  1. {% if icon|default %}
  2. {% set iconHtml = '<i class="' ~ icon ~ '"></i> ' %}
  3. {% else %}
  4. {% set iconHtml = '' %}
  5. {% endif %}
  6. <button type="{{ type|default('button') }}" {{ block('button_attributes') }}>{{ iconHtml|raw }}{{ label|trans({}, translation_domain) }}</button>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Jelmer Prins
  7. {%- endblock button_widget %}
  8. {% block fieldset_row %}
  9. {% if open_row is defined and open_row %}
  10. <div class="row">

Twig templates should not contain business logic 10

  • Major
  • Architecture

More information: https://insight.sensiolabs.com/what-we-analyse/twig.template_too_complex

Template too complex, depth of 7 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 136 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 7 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 7 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 6 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 6 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Tijs Verkoyen

Template too complex, depth of 10 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 8 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Tijs Verkoyen

Template too complex, depth of 9 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Collective

Template too complex, depth of 7 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Jonas De Keukelaere

Absolute path constants __DIR__ and __FILE__ should not be used

  • Major
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/symfony.dependency_injection.use_dir_file_constant

  1. }
  2. protected function getUploadRootDir(): string
  3. {
  4. // the absolute directory path where uploaded documents should be saved
  5. return __DIR__ . '/../../../../web/files/' . $this->getTrimmedUploadDir();

    __DIR__ and __FILE__ constants may conflict with the Symfony resource overriding system

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Jelmer Prins
  6. }
  7. protected function getTrimmedUploadDir(): string
  8. {
  9. return trim($this->getUploadDir(), '/\\');

Symfony applications should not throw AccessDeniedHttpException

  • Major
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/symfony.security.throw_access_denied_http_exception

  1. public function editAction(Request $request, ?int $id)
  2. {
  3. if (!$this->authorizationChecker->isGranted('ROLE_ADMIN')
  4. && $this->tokenStorage->getToken()->getUser()->getId() !== $id
  5. ) {
  6. throw new AccessDeniedHttpException('Access denied.');

    The AccessDeniedHttpException bypasses the Symfony Security component and always results in a 403 response. You should throw AccessDeniedException (without Http) instead, so that the Security Component displays a login form.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Jonas De Keukelaere
  7. }
  8. return parent::baseAction($request, $id);
  9. }
  10. }

PHP super globals should never be used

  • Major
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/symfony.use_super_globals

in web/app.php, line 9
  1. use Symfony\Component\HttpFoundation\Request;
  2. $env = getenv('SYMFONY_ENV') ?: 'prod';
  3. $debug = getenv('SYMFONY_DEBUG') === '1';
  4. if (isset($_SERVER['HTTP_HOST']) && substr_count($_SERVER['HTTP_HOST'], '.localhost')) {

    $_SERVER super global should not be used.

    Time to fix: about 2 hours
    Open Issue Permalink
    Last edited by Jonas De Keukelaere
  5. $env = 'dev';
  6. $debug = true;
  7. }
  8. require __DIR__ . '/../vendor/autoload.php';

Source code should not contain TODO comments 3

  • Minor
  • Architecture

More information: https://insight.sensiolabs.com/what-we-analyse/task_todo_comment

  1. {{ 'user.types.user'|trans }}
  2. {% endif %}
  3. </td>
  4. <td class="action">
  5. {% if not user.isBlocked() and app.user.canSwitchTo(user) %}
  6. {# todo switch route to homepage? #}

    TODO comments are left in the code when a feature (or a bug) isn't completely developed (or fixed). You should complete the implementation and remove the comment.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Jonas De Keukelaere
  7. <a
  8. href="{{ path('sumocoders_frameworkexample_bootstrap_select2') }}?_switch_user={{ user.username }}"
  9. class="fa fa-refresh confirm"
  10. data-toggle="tooltip"
  11. title="{{ 'user.datagrid.actions.switchTo'|trans }}"
in app/config/config.yml, line 195
  1. extractors: [jms_i18n_routing]
  2. sumo_coders_framework_multi_user:
  3. redirect_routes:
  4. SumoCoders\FrameworkUserBundle\Entity\Admin: sumocoders_frameworkuser_index_index
  5. # todo when you add a page accessable by user, will default to "/"

    TODO comments are left in the code when a feature (or a bug) isn't completely developed (or fixed). You should complete the implementation and remove the comment.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Jonas De Keukelaere
  6. # SumoCoders\FrameworkUserBundle\Entity\User:
  1. $input-color: $gray-light;
  2. $input-color-focus: #37bdf6;
  3. //** `<input>` border color
  4. $input-border: $gray-lighter;
  5. // TODO: Rename `$input-border-radius` to `$input-border-radius-base` in v4

    TODO comments are left in the code when a feature (or a bug) isn't completely developed (or fixed). You should complete the implementation and remove the comment.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Daan De Deckere
  6. //** Default `.form-control` border radius
  7. // This has no effect on `<select>`s in some browsers, due to the limited stylability of `<select>`s in CSS.
  8. $input-border-radius: $border-radius-base;
  9. //** Large `.form-control` border radius
  10. $input-border-radius-large: $border-radius-large;
  • tijsverkoyen

    Ignored on Wed, 27 May 2015 07:10:19 GMT
  • tijsverkoyen

    Unignored on Wed, 27 May 2015 09:25:53 GMT

Code should not be duplicated

  • Minor
  • Architecture

More information: https://insight.sensiolabs.com/what-we-analyse/php.duplicated_code

  1. public function configureOptions(OptionsResolver $resolver)
  2. {
  3. $resolver->setDefaults(
  4. [
  5. 'format' => 'dd/MM/y H:i',
  6. 'maximum_date' => null,

    The next 25 lines appear both in src/SumoCoders/FrameworkCoreBundle/Form/Extension/DateTimeTypeExtension.php:30 and src/SumoCoders/FrameworkCoreBundle/Form/Extension/DateTypeExtension.php:31.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Bjorn
  7. 'minimum_date' => null,
  8. ]
  9. );
  10. $resolver->setAllowedValues('widget', [

The Symfony Dependency Injection Container should not be passed as an argument

  • Minor
  • Architecture

More information: https://insight.sensiolabs.com/what-we-analyse/symfony.dependency_injection.no_container_as_parameter

  1. protected $container;
  2. /**
  3. * @param ContainerInterface $container
  4. */
  5. public function __construct(ContainerInterface $container)

    A Symfony dependency injection container has been found as an argument.

    Time to fix: about 4 hours
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  6. {
  7. $this->container = $container;
  8. }
  9. /**

The Symfony version should be the latest stable one

  • Minor
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/symfony.version.latest_stable

This project uses Symfony v3.4.2, which is not the latest release of the v3.4 branch. You should use the v3.4.6 instead to benefit from the latest bugfixes.

Time to fix: about 1 day
Open Issue Permalink
Collective

Commented code should not be committed 3

  • Minor
  • Deadcode

More information: https://insight.sensiolabs.com/what-we-analyse/php.commented_out_code

in web/app.php, line 24
  1. // Enable APC for autoloading to improve performance.
  2. // You should change the ApcClassLoader first argument to a unique prefix
  3. // in order to prevent cache key conflicts with other applications
  4. // also using APC.
  5. /*

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  6. $apcLoader = new Symfony\Component\ClassLoader\ApcClassLoader(sha1(__FILE__), $loader);
  7. $loader->unregister();
  8. $apcLoader->register(true);
  9. */
in web/app.php, line 31
  1. $loader->unregister();
  2. $apcLoader->register(true);
  3. */
  4. $kernel = new AppKernel($env, $debug);
  5. //$kernel = new AppCache($kernel);

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  6. // When using the HttpCache, you need to call the method in your front controller instead of relying on the configuration parameter
  7. //Request::enableHttpMethodParameterOverride();
  8. $request = Request::createFromGlobals();
  9. $response = $kernel->handle($request);
in web/app.php, line 34
  1. $kernel = new AppKernel($env, $debug);
  2. //$kernel = new AppCache($kernel);
  3. // When using the HttpCache, you need to call the method in your front controller instead of relying on the configuration parameter
  4. //Request::enableHttpMethodParameterOverride();

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Tijs Verkoyen
  5. $request = Request::createFromGlobals();
  6. $response = $kernel->handle($request);
  7. $response->send();
  8. $kernel->terminate($request, $response);

Unused method, property, variable or parameter

  • Minor
  • Deadcode

More information: https://insight.sensiolabs.com/what-we-analyse/php.unused_local_variable_or_private_member

  1. $this->authorizationChecker = $authorizationChecker;
  2. $this->loggableListener = $loggableListener;
  3. $this->blameableListener = $blameableListener;
  4. }
  5. public function onKernelRequest(GetResponseEvent $event)

    This event argument is declared but never used. You should remove it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Bjorn
  6. {
  7. if ($this->tokenStorage->getToken() !== null && $this->authorizationChecker->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
  8. $user = $this->tokenStorage->getToken()->getUser();
  9. $this->loggableListener->setUsername($user);

Default session cookie's name should be changed.

  • Minor
  • Security

More information: https://insight.sensiolabs.com/what-we-analyse/symfony.request.session_cookie_default_name

The session cookie name is the default one, PHPSESSID. You should consider overwriting it thanks to session.name parameter (see the official documentation).

Time to fix: about 1 hour
Open Issue Permalink
Collective

Deprecated class found in service definition

  • Info
  • Architecture

More information: https://insight.sensiolabs.com/what-we-analyse/third_party.use_deprecated_service

The event_dispatcher service uses the Symfony\Component\EventDispatcher\ContainerAwareEventDispatcher class, which has been deprecated in Symfony 3.3. Use the Symfony\Component\EventDispatcher\EventDispatcher class instead.

Time to fix: about 2 hours
Open Issue Permalink
Collective

The composer.json file should not raise warnings

  • Info
  • Bugrisk

More information: https://insight.sensiolabs.com/what-we-analyse/composer.warning

Defining autoload.psr-4 with an empty namespace prefix is a bad idea for performance

Time to fix: about 1 hour
Open Issue Permalink
Collective