1

I am receiving an alert in JED Checker, the line of code that generates the alert contains str_replace which is used to replace of spaces with hyphens.

Here the code:

$uniqueFilter = array_unique($unique_filter); foreach ($uniqueFilter as $filter) { echo '<a href="#" class="filter-item" data-group=".'.str_replace(' ', '-', $filter).'">'.$filter.'</a>'; }

I would like to know if str_replace or preg_replace is a danger and why they have it marked to generate an alert.

Improve this question

2 Answers 2

Reset to default
2

This is an unnecessarily strict rule and it has already been removed in code base. The change should be reflected in the next major JED Checker release. See this commit for reference.

Improve this answer
1
  • I often use strstr() in production code. Why is it blacklisted. Who came up with [\s/\*\w\W\(]? I'd like to hear what their intention was. That subpattern reveals a lack of regex understanding. Commented Apr 9, 2021 at 10:14
2

Keep in mind that:

That said, I must assume that the script doesn't like that you aren't calling htmlspecialchars() on a variable being printed into an html document. Have a read of https://stackoverflow.com/q/4882307/2943403 and https://stackoverflow.com/a/46491/2943403. I don't see any potential vulnerability in executing that very trivial string manipulation with str_replace() -- I think this is a red herring.

If you, yourself, are worried about this being an attack vector, then you should sanitise the string as much as possible. Will it contain only letters? letters and numbers? any allowed symbols? A regex to strip unwelcome characters could be a good idea.

I might code it like this:

foreach (array_unique($unique_filter) as $filter) { printf( '<a href="#" class="filter-item" data-group="%s">%s</a>', htmlspecialchars(str_replace(' ', '-', $filter)), htmlspecialchars($filter) ); }

This way you:

  • keep the code width short and
  • eliminate the single-use variable $uniqueFilter and
  • eliminate the noise of concatenating of text and function calls
Improve this answer
3
  • Thank you, sorry for my English. I tried using htmlspecialchars, even pasting the full code, but the alert continues. I am converting Joomla tag and category names to classes. I know it is a false alert, what I would like is to know if str_replace is dangerous as described in JAMSS Commented Apr 9, 2021 at 20:46
  • I will urge you to move the green tick to Sharky's answer because it is correct and supported by documented evidence. If you gained helpful insights from my answer, then an upvote on my answer is sufficient acknowledgement. Commented Apr 10, 2021 at 0:06
  • Also keep in mind that the JAMSS script has not been updated for 7 years... Security is not a one shot deal... Commented Jun 6, 2021 at 13:15

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.