Symfony secret should be changed
- Read doc
- Security
- Critical
More information: https://insight.symfony.com/what-we-analyse/symfony.obvious_csrf_key
Website should be protected against XSS Vulnerability 3
- Read doc
- Security
- Critical
More information: https://insight.symfony.com/what-we-analyse/twig.xss_vulnerability
- </div>
- <br>
- <blockquote><p>{{ post.intro }}</p></blockquote>
- <p>{{ post.content|raw }}</p>
Using the
|rawfilter or the{% autoescape false %}block in a Twig template exposes users to Cross-Site Scripting (XSS) attacksLast edited by Peter Kokot- <div id="disqus_thread"></div>
- <script>
- /**
- * RECOMMENDED CONFIGURATION VARIABLES: EDIT AND UNCOMMENT THE SECTION BELOW TO INSERT DYNAMIC VALUES FROM YOUR PLATFORM OR CMS.
- <ul>
- {% for bundle in bundles %}
- <li>
- <a href="{{ bundle.url }}" target="_blank">{{ bundle.name }}</a><br>
- <small>{{ bundle.description|raw }}</small>
Using the
|rawfilter or the{% autoescape false %}block in a Twig template exposes users to Cross-Site Scripting (XSS) attacksLast edited by Peter Kokot- </li>
- {% endfor %}
- </ul>
- {% endblock %}
- <div class="text-left">
- <span class="glyphicon glyphicon-time" aria-hidden="true"></span> <em>Čas branja: {{ psr.readTime }}</em>
- <span class="glyphicon glyphicon-edit" aria-hidden="true"></span> <em>Zadnja sprememba: {{ psr.updated|date("d.m.Y") }}</em>
- </div>
- {{ psr.content|raw }}
Using the
|rawfilter or the{% autoescape false %}block in a Twig template exposes users to Cross-Site Scripting (XSS) attacksLast edited by Peter Kokot- {% endblock %}
- {% block sidebar %}
- {% if psr.meta %}
- <h2>Meta dokument</h2>
Twig templates should not contain business logic 2
- Read doc
- Architecture
- Major
More information: https://insight.symfony.com/what-we-analyse/twig.template_too_complex
Template too complex, depth of 8 is reached but only 5 is allowed.
Template too complex, depth of 6 is reached but only 5 is allowed.
Symfony applications should not contain a config.php file
- Read doc
- Security
- Major
More information: https://insight.symfony.com/what-we-analyse/symfony.web_config_should_not_be_present
This config.php file should only be used to bootstrap a Symfony application. Before releasing to production, you should remove it, otherwise attackers could get valuable insight about your application.
-
web
- images
- app.php
- app_dev.php
- apple-touch-icon.png
- config.php
- favicon.ico
- robots.txt
Version of dependencies should be fixed 6
- Read doc
- Bugrisk
- Minor
More information: https://insight.symfony.com/what-we-analyse/composer.unfixed_dependency_version
The Symfony version should be the latest stable one
- Read doc
- Bugrisk
- Minor
More information: https://insight.symfony.com/what-we-analyse/symfony.version.latest_stable
Object parameters should be type hinted 4
- Read doc
- Bugrisk
- Minor
More information: https://insight.symfony.com/what-we-analyse/php.object_parameter_not_type_hinted
- public function findAll()
- {
- $finder = new Finder();
- $finder->files()->in($this->path.'/Resources/content/blog');
- $finder->files()->name('*.md');
- $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });
The parameter
a, which is an object, should be typehinted.Last edited by Peter Kokot- $posts = [];
- foreach ($finder as $file) {
- $post = $this->getPostByFile($file->getRealPath());
- $posts[] = $post;
- public function findAll()
- {
- $finder = new Finder();
- $finder->files()->in($this->path.'/Resources/content/blog');
- $finder->files()->name('*.md');
- $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });
The parameter
b, which is an object, should be typehinted.Last edited by Peter Kokot- $posts = [];
- foreach ($finder as $file) {
- $post = $this->getPostByFile($file->getRealPath());
- $posts[] = $post;
- public function findLatest($limit = 10)
- {
- $finder = new Finder();
- $finder->files()->in($this->path.'/Resources/content/blog');
- $finder->files()->name('*.md');
- $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });
The parameter
a, which is an object, should be typehinted.Last edited by Peter Kokot- $posts = [];
- foreach (new \LimitIterator($finder->getIterator(), 0, $limit) as $file) {
- $post = $this->getPostByFile($file->getRealPath());
- $posts[] = $post;
- public function findLatest($limit = 10)
- {
- $finder = new Finder();
- $finder->files()->in($this->path.'/Resources/content/blog');
- $finder->files()->name('*.md');
- $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });
The parameter
b, which is an object, should be typehinted.Last edited by Peter Kokot- $posts = [];
- foreach (new \LimitIterator($finder->getIterator(), 0, $limit) as $file) {
- $post = $this->getPostByFile($file->getRealPath());
- $posts[] = $post;
Commented code should not be committed
- Read doc
- Deadcode
- Minor
More information: https://insight.symfony.com/what-we-analyse/php.commented_out_code
- $kernel = new AppKernel('prod', false);
- $kernel->loadClassCache();
- $kernel = new AppCache($kernel);
- // When using the HttpCache, you need to call the method in your front controller instead of relying on the configuration parameter
- //Request::enableHttpMethodParameterOverride();
Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.
Last edited by Peter Kokot- $request = Request::createFromGlobals();
- $response = $kernel->handle($request);
- $response->send();
- $kernel->terminate($request, $response);
Default session cookie's name should be changed
- Read doc
- Security
- Minor
More information: https://insight.symfony.com/what-we-analyse/symfony.request.session_cookie_default_name
The composer.json file should not raise warnings
- Read doc
- Bugrisk
- Info
More information: https://insight.symfony.com/what-we-analyse/composer.warning
Defining autoload.psr-4 with an empty namespace prefix is a bad idea for performance
Text files should end with a valid new line character. 6
- Read doc
- Codestyle
- Info
More information: https://insight.symfony.com/what-we-analyse/missing_e_o_l
- {% block javascripts %}
- {{ parent() }}
- <script id="dsq-count-scr" src="//symfonysi.disqus.com/count.js" async></script>
- {% endblock %}
This file ends with no newline character, or with a different newline character than other files in your project. It won't render properly on a terminal, and it's considered a bad practice.
Last edited by Peter Kokot
- {% if sidebarpsr.meta %}
- <li{% if path('psr_show', {'slug': sidebarpsr.meta.slug}) == currentPath %} class="active"{% endif %}><a href="{{ path('psr_show', {'slug': sidebarpsr.meta.slug}) }}">{{ sidebarpsr.meta.title }}</a></li>
- {% endif %}
- {% endfor %}
- </ul>
- {% endblock %}
This file ends with no newline character, or with a different newline character than other files in your project. It won't render properly on a terminal, and it's considered a bad practice.
Last edited by Peter Kokot
- {% block title %}{{ status_code }} {{ status_text }}{% endblock %}
- {% block body %}
- <h1>Oops! And Error Occurred</h1>
- <h2>The server returned a "{{ status_code }} {{ status_text }}".</h2>
- {% endblock %}
This file ends with no newline character, or with a different newline character than other files in your project. It won't render properly on a terminal, and it's considered a bad practice.
Last edited by Peter Kokot
- if (d.getElementById(id)) return;
- js = d.createElement(s); js.id = id;
- js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6&appId=1062356410505765";
- fjs.parentNode.insertBefore(js, fjs);
- }(document, 'script', 'facebook-jssdk'));</script>
- <div class="fb-page" data-href="https://www.facebook.com/symfony.si/" data-small-header="true" data-adapt-container-width="true" data-hide-cover="true" data-show-facepile="true"><blockquote cite="https://www.facebook.com/symfony.si/" class="fb-xfbml-parse-ignore"><a href="https://www.facebook.com/symfony.si/">Symfony Slovenia</a></blockquote></div>
This file ends with no newline character, or with a different newline character than other files in your project. It won't render properly on a terminal, and it's considered a bad practice.
Last edited by Peter Kokot
- })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
- ga('create', 'UA-59671004-1', 'auto');
- ga('send', 'pageview');
- </script>
This file ends with no newline character, or with a different newline character than other files in your project. It won't render properly on a terminal, and it's considered a bad practice.
Last edited by Peter Kokot
- public function getReadTime()
- {
- return $this->readTime;
- }
- }
This file ends with no newline character, or with a different newline character than other files in your project. It won't render properly on a terminal, and it's considered a bad practice.
Last edited by Peter Kokot
A route should always have a valid HTTP method 14
- Read doc
- Security
- Info
More information: https://insight.symfony.com/what-we-analyse/symfony.routing.action_not_restricted_by_method
Default favicon should be changed 2
- Read doc
- Security
- Info
More information: https://insight.symfony.com/what-we-analyse/web.default_favicon
Default Apple touch Symfony favicon found.
This reveals the backend engine of the application and makes it more vulnerable to attackers. Consider using a custom favicon instead - plus, your users will memorize your application more easily.
Default Symfony favicon found.
This reveals the backend engine of the application and makes it more vulnerable to attackers. Consider using a custom favicon instead - plus, your users will memorize your application more easily.
