search

froala / wysiwyg-editor-php-sdk

PHP SDK to ease the integration of Froala WYSIWYG Editor on server side.
https://www.froala.com/wysiwyg-editor
MIT License
40 stars 26 forks source link

isFileValid has bogus code. #16

Closed Danack closed 7 years ago

Danack commented 7 years ago

The code on these lines has multiple severe issues.

== Problem 1

    $extension = end($filename);

The end function expects an array as input, not a string. This code emits a warning on my machine. Whoever wrote it, presumably has warnings disabled on their machine, which is a terrible idea.

== Problem 2

Almost any use of in_array should set the 3rd parameter to true, to enforce a comparison of the exact type, because otherwise, this can happen:

$allowedExts = [true];

var_dump(in_array('png', $allowedExts));

Which is 'surprising'.

NunoLopesPT commented 7 years ago

In the Problem 1: The error it is on the function document: https://github.com/froala/wysiwyg-editor-php-sdk/blob/749aca2d5ca0fdb821130da60dbe671aeef06a75/lib/FroalaEditor/Utils/Utils.php#L9

it should be type array since it is really an array: https://github.com/froala/wysiwyg-editor-php-sdk/blob/749aca2d5ca0fdb821130da60dbe671aeef06a75/lib/FroalaEditor/Utils/Utils.php#L58

Here is a debug proving that it is an array: screenshot from 2017-09-12 17-41-37

Danack commented 7 years ago

ah, sorry. I was confused by the variable name.