Documentation

AudioUriValidator
in package

FinalYes

Validates user-supplied TxAudioURI values before persisting them.

Three layers of defense:

  1. Always reject: path traversal (..), null bytes, control characters, absolute filesystem paths (/foo), and dangerous URI schemes (javascript:, data:, file:, vbscript:). These never have a legitimate use in TxAudioURI and they enable stored XSS or unbounded filesystem reads when echoed into the media player.

  2. Multi-user mode: any new relative media/... path must live under the caller's per-user subdirectory (media/u{id}/...). Apache serves media/ directly with no ownership check, so without this guard user A can save media/userB.mp3 into their own text and stream user B's file.

  3. Grandfather rule: if the new value matches the previously stored value byte-for-byte, the multi-user-subdir requirement is skipped. Pre-existing TxAudioURIs from before this validator existed (or from before per-user subdirs are enforced) continue to load when their owner re-saves the text without touching the audio field. The "always reject" layer still runs.

Tags
since
3.0.0

Table of Contents

Methods

validate()  : string
Validate a TxAudioURI value. Returns the (unchanged) value on success; throws \InvalidArgumentException with a user-facing message on failure.
containsControlCharacters()  : bool
containsTraversal()  : bool
hasDangerousScheme()  : bool

Methods

validate()

Validate a TxAudioURI value. Returns the (unchanged) value on success; throws \InvalidArgumentException with a user-facing message on failure.

public static validate(string $audioUri[, string|null $previousUri = null ]) : string
Parameters
$audioUri : string

New value being persisted

$previousUri : string|null = null

Previously stored value, or null when inserting a new row

Return values
string

The validated URI (same as input when valid)

containsControlCharacters()

private static containsControlCharacters(string $value) : bool
Parameters
$value : string
Return values
bool

containsTraversal()

private static containsTraversal(string $value) : bool
Parameters
$value : string
Return values
bool

hasDangerousScheme()

private static hasDangerousScheme(string $value) : bool
Parameters
$value : string
Return values
bool 

        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results