From 8a8aa4f7dc72a6eb3f704806cf795c2bb7297b89 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 11 Dec 2020 21:23:11 +0000
Subject: [PATCH] Add sanitizers for JSON output

Those functions set proper content-types that prevent rendering of
data. Therefore it's safe to mark them as sanitizers.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 lib/private/legacy/OC_API.php  | 1 +
 lib/private/legacy/OC_JSON.php | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/lib/private/legacy/OC_API.php b/lib/private/legacy/OC_API.php
index 5e4a46ab4d7..cba60826196 100644
--- a/lib/private/legacy/OC_API.php
+++ b/lib/private/legacy/OC_API.php
@@ -43,6 +43,7 @@ class OC_API {
 	 * respond to a call
 	 * @param \OC\OCS\Result $result
 	 * @param string $format the format xml|json
+	 * @psalm-taint-escape html
 	 */
 	public static function respond($result, $format = 'xml') {
 		$request = \OC::$server->getRequest();
diff --git a/lib/private/legacy/OC_JSON.php b/lib/private/legacy/OC_JSON.php
index a0b9868a023..1597955135e 100644
--- a/lib/private/legacy/OC_JSON.php
+++ b/lib/private/legacy/OC_JSON.php
@@ -99,6 +99,7 @@ class OC_JSON {
 	 * Send json error msg
 	 * @deprecated Use a AppFramework JSONResponse instead
 	 * @suppress PhanDeprecatedFunction
+	 * @psalm-taint-escape html
 	 */
 	public static function error($data = []) {
 		$data['status'] = 'error';
@@ -110,6 +111,7 @@ class OC_JSON {
 	 * Send json success msg
 	 * @deprecated Use a AppFramework JSONResponse instead
 	 * @suppress PhanDeprecatedFunction
+	 * @psalm-taint-escape html
 	 */
 	public static function success($data = []) {
 		$data['status'] = 'success';
-- 
GitLab