KevinMidboe/linguist
1
0
Fork 0
mirror of https://github.com/KevinMidboe/linguist.git synced 2025-10-29 09:40:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
94367cc460d32dfa315236daca0490ae5e4cae1b
linguist/samples/Hack/UnescapedStringRecipe.hh
Josh Watzman b2cb74cabf Add detection for Hack files with ".hh" file extension 
Hack is Facebook's dialect of PHP: http://hacklang.org/. This adds support for detecting it via the ".hh" file extension; although that extension techincally conflicts with C++ headers, the files look different enough that the existing classifier based on sample code has no trouble distinguising them.

This diff deliberately does not deal with detecting ".php" as another valid extension for Hack code. That's much trickier since the code looks basically identical to PHP to the classifier, and needs a different approach.
2014-10-21 15:35:57 -07:00

60 lines
1.7 KiB
C++
Raw Blame History

<?hh // strict
/**
* Copyright (c) 2014, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*
*/
require_once $_SERVER['DOCUMENT_ROOT'].'/core/controller/recipe/init.php';
require_once "demo.php";
class UnescapedStringRecipe extends Recipe implements RecipeWithDemo {
protected function getName(): string {
return 'Unescaped string';
}
<<Override>>
protected function getDescription(): ?string {
return 'Forgetting to properly escape the strings you get from your users '.
'can lead to serious security holes. Hack can help by forcing you to '.
'escape these strings before using them as strings.';
}
protected function getFilenames(): Vector<string> {
return Vector {
'UnescapedString.php',
'MySecureRequest.php',
};
}
protected function getDocs(): Vector<(string, string)> {
return Vector{
tuple('Opaque Type Aliasing', 'hack.typealiasing.opaquetypealiasing'),
};
}
public function getDemoFilename(): string {
return 'demo.php';
}
public function getDemoResult(): string {
return unescaped_string_main();
}
public function getDemoXHP(): ?:xhp {
$url = '/recipes/unescaped-string/';
return
<x:frag>
Try setting the myStrParam GET param to something nice and innocent with this button...
<div>
<a href={"$url?myStrParam='); DROP TABLE important_stuff; --#demo"} class="button">GET myStrParam=Hello world</a>
</div>
</x:frag>;
}
}
Reference in New Issue View Git Blame Copy Permalink