From 5c962261f569ed3d947b174cff3ce10f38072310 Mon Sep 17 00:00:00 2001 From: Paragon Initiative Enterprises Date: Sat, 11 May 2024 17:55:15 -0400 Subject: [PATCH] Eliminate one eval() with dynamic variables --- src/InputFilterContainer.php | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/src/InputFilterContainer.php b/src/InputFilterContainer.php index 1e3ff54..fa8bdba 100644 --- a/src/InputFilterContainer.php +++ b/src/InputFilterContainer.php @@ -79,24 +79,32 @@ public function filterValue(string $key, $multiDimensional) /** @var array|string $filtered */ $filtered =& $multiDimensional; - /** - * @security This shouldn't be escapable. We know eval is evil, but - * there's not a more elegant way to process this in PHP. - */ + $var = ''; if (\is_array($multiDimensional)) { $var = '$multiDimensional'; foreach ($pieces as $piece) { + $_var = substr($var, 1); + if (is_null(${$_var})) { + ${$var} = []; + } + $append = '[' . self::sanitize($piece) . ']'; + if (!isset(${$var . $append})) { + ${$var . $append} = null; + $var .= $append; + break; + } // Alphabetize the parent array - eval( - 'if (!isset(' . $var . $append . ')) {' . "\n" . - ' ' . $var . $append . ' = null;' . "\n" . - '}' . "\n" . - '\ksort(' . $var . ');' . "\n" - ); + if (is_array(${$var})) { + ksort(${$var}); + } $var .= $append; } + /** + * @security This shouldn't be escapable. We know eval is evil, but + * there's not a more elegant way to process this in PHP. + */ eval('$filtered =& ' . $var. ';'); }