diff --git a/system/ThirdParty/Escaper/Escaper.php b/system/ThirdParty/Escaper/Escaper.php index c4964cb55e4a..1e5bc7f9fad9 100644 --- a/system/ThirdParty/Escaper/Escaper.php +++ b/system/ThirdParty/Escaper/Escaper.php @@ -25,6 +25,8 @@ /** * Context specific methods for use in secure output escaping + * + * @final */ class Escaper { @@ -49,7 +51,7 @@ class Escaper * Current encoding for escaping. If not UTF-8, we convert strings from this encoding * pre-escaping and back to this encoding post-escaping. * - * @var string + * @var non-empty-string */ protected $encoding = 'utf-8'; @@ -88,7 +90,7 @@ class Escaper /** * List of all encoding supported by this class * - * @var array + * @var list */ protected $supportedEncodings = [ 'iso-8859-1', @@ -131,6 +133,7 @@ class Escaper * Constructor: Single parameter allows setting of global encoding for use by * the current object. * + * @param non-empty-string|null $encoding * @throws Exception\InvalidArgumentException */ public function __construct(?string $encoding = null) @@ -159,25 +162,19 @@ public function __construct(?string $encoding = null) // set matcher callbacks $this->htmlAttrMatcher = /** @param array $matches */ - function (array $matches): string { - return $this->htmlAttrMatcher($matches); - }; + fn(array $matches): string => $this->htmlAttrMatcher($matches); $this->jsMatcher = /** @param array $matches */ - function (array $matches): string { - return $this->jsMatcher($matches); - }; + fn(array $matches): string => $this->jsMatcher($matches); $this->cssMatcher = /** @param array $matches */ - function (array $matches): string { - return $this->cssMatcher($matches); - }; + fn(array $matches): string => $this->cssMatcher($matches); } /** * Return the encoding that all output/input is expected to be encoded in. * - * @return string + * @return non-empty-string */ public function getEncoding() { @@ -188,7 +185,7 @@ public function getEncoding() * Escape a string for the HTML Body context where there are very few characters * of special meaning. Internally this will use htmlspecialchars(). * - * @return string + * @return ($string is non-empty-string ? non-empty-string : string) */ public function escapeHtml(string $string) { @@ -200,7 +197,7 @@ public function escapeHtml(string $string) * to escape that are not covered by htmlspecialchars() to cover cases where an attribute * might be unquoted or quoted illegally (e.g. backticks are valid quotes for IE). * - * @return string + * @return ($string is non-empty-string ? non-empty-string : string) */ public function escapeHtmlAttr(string $string) { @@ -222,7 +219,7 @@ public function escapeHtmlAttr(string $string) * Backslash escaping is not used as it still leaves the escaped character as-is and so * is not useful in a HTML context. * - * @return string + * @return ($string is non-empty-string ? non-empty-string : string) */ public function escapeJs(string $string) { @@ -240,7 +237,7 @@ public function escapeJs(string $string) * an entire URI - only a subcomponent being inserted. The function is a simple proxy * to rawurlencode() which now implements RFC 3986 since PHP 5.3 completely. * - * @return string + * @return ($string is non-empty-string ? non-empty-string : string) */ public function escapeUrl(string $string) { @@ -251,7 +248,7 @@ public function escapeUrl(string $string) * Escape a string for the CSS context. CSS escaping can be applied to any string being * inserted into CSS and escapes everything except alphanumerics. * - * @return string + * @return ($string is non-empty-string ? non-empty-string : string) */ public function escapeCss(string $string) {