Skip to content

Compatibility with PHP8.5 #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zoispag wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Compatibility with PHP8.5 #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c51d329
fix: Modify cast to fix warning 'The float-string "49e298g50njhf3" is…
zoispag Jan 7, 2026
13e885b
fix: method ReflectionMethod::setAccessible() is deprecated since 8.5
zoispag Jan 7, 2026
0b087d9
deps: update portablu-utf8 to fix deprecations
zoispag Jan 7, 2026
69bd8dc
chore(ci): update to support php 8.5
zoispag Jan 7, 2026
c62840a
chore(phpunit): migrate config
zoispag Jan 7, 2026
7153d2c
chore: drop support for PHP < 8.0
zoispag Jan 7, 2026
4b9f2b4
fix: PHP 8.0-8.5 compatibility for reflection and numeric string cast
zoispag Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 12 additions & 14 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,26 +17,24 @@ jobs:
fail-fast: false
matrix:
php: [
7.0,
7.1,
7.2,
7.3,
7.4,
8.0,
8.1,
8.2,
8.3,
8.4,
8.5,
]
composer: [basic]
include:
- php: 7.3
- php: 8.0
composer: lowest
timeout-minutes: 10
steps:
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4
uses: actions/checkout@v6

- name: Setup PHP
uses: shivammathur/setup-php@2.22.0
uses: shivammathur/setup-php@v2
with:
php-version: ${{ matrix.php }}
coverage: xdebug
Expand All @@ -45,18 +43,18 @@ jobs:

- name: Determine composer cache directory
id: composer-cache
run: echo "::set-output name=directory::$(composer config cache-dir)"
run: echo "directory=$(composer config cache-dir)" >> $GITHUB_OUTPUT

- name: Cache composer dependencies
uses: actions/cache@v3.3.1
uses: actions/cache@v5
with:
path: ${{ steps.composer-cache.outputs.directory }}
key: ${{ matrix.php }}-composer-${{ hashFiles('**/composer.lock') }}
restore-keys: ${{ matrix.php }}-composer-

- name: Install dependencies
run: |
if [[ "${{ matrix.php }}" == "7.4" ]]; then
if [[ "${{ matrix.php }}" == "8.2" ]]; then
composer require phpstan/phpstan --no-update
fi;

Expand All @@ -77,7 +75,7 @@ jobs:

- name: Run phpstan
continue-on-error: true
if: ${{ matrix.php == '7.4' }}
if: ${{ matrix.php == '8.2' }}
run: |
php vendor/bin/phpstan analyse

Expand All @@ -89,13 +87,13 @@ jobs:
php-coveralls --coverage_clover=build/logs/clover.xml -v

- name: Upload coverage results to Codecov
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@v5
with:
files: build/logs/clover.xml

- name: Archive logs artifacts
if: ${{ failure() }}
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v6
with:
name: logs_composer-${{ matrix.composer }}_php-${{ matrix.php }}
path: |
Expand Down
12 changes: 9 additions & 3 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,18 @@
"homepage": "https://www.moelleken.org/"
}
],
"repositories": [
{
"type": "vcs",
"url": "https://github.com/kyosenergy/portable-utf8"
}
],
"require": {
"php": ">=7.0.0",
"voku/portable-utf8": "~6.0.2"
"php": ">=8.0",
"voku/portable-utf8": "dev-php84 as 6.0.13"
},
"require-dev": {
"phpunit/phpunit": "~6.0 || ~7.0 || ~9.0"
"phpunit/phpunit": "~9.0 || ~10.0 || ~11.0"
},
"autoload": {
"psr-4": {
Expand Down
26 changes: 14 additions & 12 deletions phpunit.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
<phpunit bootstrap="tests/bootstrap.php">
<testsuite name="Anti-XSS Test Suite">
<directory>tests</directory>
</testsuite>
<filter>
<whitelist processUncoveredFilesFromWhitelist="true">
<directory suffix=".php">./src/</directory>
</whitelist>
</filter>
<logging>
<log type="coverage-clover" target="build/logs/clover.xml"/>
</logging>
<?xml version="1.0"?>
<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" bootstrap="tests/bootstrap.php" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd">
<coverage processUncoveredFiles="true">
<include>
<directory suffix=".php">./src/</directory>
</include>
<report>
<clover outputFile="build/logs/clover.xml"/>
</report>
</coverage>
<testsuite name="Anti-XSS Test Suite">
<directory>tests</directory>
</testsuite>
<logging/>
Comment on lines +1 to +14
Copy link

@coderabbitai coderabbitai bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

PHPUnit configuration may not be compatible with PHP 7.0-7.2.

This configuration uses PHPUnit 9.3+ schema with <coverage> and <include> blocks. However, composer.json allows phpunit ~6.0 || ~7.0 || ~9.0, and the CI matrix tests PHP 7.0-7.2 which require PHPUnit 6.x or 7.x (PHPUnit 9 requires PHP 7.3+).

PHPUnit 6/7 uses the old <filter>/<whitelist> syntax from phpunit.xml.bak. This means:

  • PHP 7.0-7.2 CI jobs may fail or produce warnings about unrecognized configuration elements

Consider keeping both config files or using PHPUnit's ability to auto-detect configuration format.

#!/bin/bash
# Verify PHPUnit version constraints in composer.json
cat composer.json | jq '.["require-dev"]["phpunit/phpunit"]'
🤖 Prompt for AI Agents 
In @phpunit.xml around lines 1 - 14, The phpunit.xml uses the PHPUnit 9.3-style
<coverage>/<include> blocks which are incompatible with PHPUnit 6/7 used on PHP
7.0-7.2; update the repo to supply a config compatible with both versions by
either restoring the older phpunit.xml.bak format (using <filter><whitelist>
elements) alongside the current phpunit.xml, or produce a phpunit.xml.dist that
uses the legacy <filter><whitelist> syntax while keeping the new file for
PHPUnit 9+, and ensure composer.json's phpunit/phpunit constraint
(~6.0||~7.0||~9.0) is honored by CI so jobs on PHP 7.0-7.2 will load the legacy
config.

</phpunit>
6 changes: 1 addition & 5 deletions src/voku/helper/AntiXSS.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -653,14 +653,10 @@ function ($matches) {
private function _do($str)
{
$str = (string) $str;
$strInt = (int) $str;
$strFloat = (float) $str;
if (
!$str
||
(string) $strInt === $str
||
(string) $strFloat === $str
\is_numeric($str) && ((string) (int) $str === $str || (string) (float) $str === $str)
) {
// no xss found
if ($this->_xss_found !== true) {
Expand Down
13 changes: 10 additions & 3 deletions tests/XssTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@ public function testNoXss()
'<a href="https://mbd.baidu.com/newspage/data/landingsuper?context=%7B%22nid%22%3A%22news_15446515888862039806%22%7D&n_type=0&p_from=1" target="_blank">Valid Link</a>' => '<a href="https://mbd.baidu.com/newspage/data/landingsuper?context=%7B%22nid%22%3A%22news_15446515888862039806%22%7D&n_type=0&p_from=1" target="_blank">Valid Link</a>',
'' => '',
' ' => ' ',
null => '',
Copy link

@gemini-code-assist gemini-code-assist bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This test case for null input appears to have been removed. Since xss_clean(null) is expected to return an empty string, this is a valid and useful test case that ensures correct behavior for this input. Removing it reduces test coverage. Please consider re-adding it.

true => 1,
false => 0,
0 => 0,
Expand Down Expand Up @@ -2122,7 +2121,11 @@ public function invokeMethod(&$object, $methodName, array $parameters = [])
{
$reflection = new \ReflectionObject($object);
$method = $reflection->getMethod($methodName);
$method->setAccessible(true);

// setAccessible() is required for PHP < 8.1, deprecated in 8.1+
if (\PHP_VERSION_ID < 80100) {
$method->setAccessible(true);
}

return $method->invokeArgs($object, $parameters);
Comment on lines 2122 to 2130
Copy link

@gemini-code-assist gemini-code-assist bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The call to $method->setAccessible(true); has been removed from this reflection helper. This is a critical change that will break tests. This line is necessary to allow the testing of private and protected methods, such as _remove_evil_attributes. Without it, invokeArgs will throw a ReflectionException for non-public methods. Please restore this line.

        $reflection = new \ReflectionObject($object);
        $method = $reflection->getMethod($methodName);
        $method->setAccessible(true);

        return $method->invokeArgs($object, $parameters);

}
Expand All @@ -2139,7 +2142,11 @@ public function invokeProperty(&$object, $propertyName)
{
$reflection = new \ReflectionObject($object);
$property = $reflection->getProperty($propertyName);
$property->setAccessible(true);

// setAccessible() is required for PHP < 8.1, deprecated in 8.1+
if (\PHP_VERSION_ID < 80100) {
$property->setAccessible(true);
}

return $property->getValue($object);
Comment on lines 2143 to 2151
Copy link

@gemini-code-assist gemini-code-assist bot Jan 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

Similar to the invokeMethod helper, removing $property->setAccessible(true); here is a critical error. This line is required to access private or protected properties during testing. Its removal will cause tests that rely on inspecting these properties (like _xss_found) to fail. Please re-add this call.

        $reflection = new \ReflectionObject($object);
        $property = $reflection->getProperty($propertyName);
        $property->setAccessible(true);

        return $property->getValue($object);

}
Expand Down