From 1e2877e863e484e0f70e53ac872f8e58a8df78ea Mon Sep 17 00:00:00 2001
From: Olivier PEREZ <olivier@olivierperez.fr>
Date: Mon, 5 Jan 2015 23:30:47 +0100
Subject: [PATCH] Don't encode to HTML value before storing it to database

---
 .../Framadate/Services/InputService.php       |  2 +-
 choix_autre.php                               |  3 ++-
 choix_date.php                                |  4 +++-
 infos_sondage.php                             | 19 +++++++++----------
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/app/classes/Framadate/Services/InputService.php b/app/classes/Framadate/Services/InputService.php
index d985bb5..aafed00 100644
--- a/app/classes/Framadate/Services/InputService.php
+++ b/app/classes/Framadate/Services/InputService.php
@@ -29,7 +29,7 @@ class InputService {
      * This method filter an array calling "filter_var" on each items.
      * Only items validated are added at their own indexes, the others are not returned.
      */
-    function filterArray(array $arr, $type, $options) {
+    function filterArray(array $arr, $type, $options = null) {
         $newArr = [];
 
         foreach($arr as $id=>$item) {
diff --git a/choix_autre.php b/choix_autre.php
index 586bc52..95ba3cd 100644
--- a/choix_autre.php
+++ b/choix_autre.php
@@ -134,7 +134,8 @@ if (empty($_SESSION['form']->title) || empty($_SESSION['form']->admin_name) || (
             $_SESSION['form']->clearChoices();
             foreach ($_POST['choices'] as $c) {
                 if (!empty($c)) {
-                    $choice = new Choice(htmlentities(html_entity_decode($c, ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8'));
+                    $c = filter_var($c, FILTER_SANITIZE_STRING);
+                    $choice = new Choice($c);
                     $_SESSION['form']->addChoice($choice);
                 }
             }
diff --git a/choix_date.php b/choix_date.php
index 9c0ae49..5170306 100644
--- a/choix_date.php
+++ b/choix_date.php
@@ -16,6 +16,7 @@
  * Auteurs de STUdS (projet initial) : Guilhem BORGHESI (borghesi@unistra.fr) et Raphaël DROZ
  * Auteurs de Framadate/OpenSondage : Framasoft (https://github.com/framasoft https://git.framasoft.org/framasoft/framadate/)
  */
+use Framadate\Services\InputService;
 use Framadate\Services\LogService;
 use Framadate\Services\PollService;
 use Framadate\Services\MailService;
@@ -31,6 +32,7 @@ $logService = new LogService(LOG_FILE);
 $pollService = new PollService($connect, $logService);
 $mailService = new MailService($config['use_smtp']);
 $purgeService = new PurgeService($connect, $logService);
+$inputService = new InputService();
 
 if (is_readable('bandeaux_local.php')) {
     include_once('bandeaux_local.php');
@@ -135,7 +137,7 @@ if (!isset($_SESSION['form']->title) || !isset($_SESSION['form']->admin_name) ||
                     $choice = new Choice($time);
                     $_SESSION['form']->addChoice($choice);
 
-                    $schedules = $_POST['horaires'.$i];
+                    $schedules = $inputService->filterArray($_POST['horaires'.$i], FILTER_DEFAULT);
                     for($j = 0; $j < count($schedules); $j++) {
                         if (!empty($schedules[$j])) {
                             $choice->addSlot($schedules[$j]);
diff --git a/infos_sondage.php b/infos_sondage.php
index da95104..b98ccd3 100644
--- a/infos_sondage.php
+++ b/infos_sondage.php
@@ -40,16 +40,15 @@ if ((isset($_GET['choix_sondage']) && $_GET['choix_sondage'] == 'date') ||
     $_SESSION['form']->choix_sondage = $choix_sondage;
 }
 
-// On teste toutes les variables pour supprimer l'ensemble des warnings PHP
-// On transforme en entites html les données afin éviter les failles XSS
-$post_var = array('poursuivre', 'titre', 'nom', 'adresse', 'commentaires', 'editable', 'receiveNewVotes', 'creation_sondage_date', 'creation_sondage_autre');
-foreach ($post_var as $var) {
-    if (isset($_POST[$var]) === true) {
-        $$var = htmlentities($_POST[$var], ENT_QUOTES, 'UTF-8');
-    } else {
-        $$var = null;
-    }
-}
+// We clean the data
+$poursuivre = filter_input(INPUT_POST, 'poursuivre', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(creation_sondage_date|creation_sondage_autre)$/']]);
+$titre = filter_input(INPUT_POST, 'titre', FILTER_SANITIZE_STRING);
+$nom = filter_input(INPUT_POST, 'nom', FILTER_SANITIZE_STRING);
+$adresse = filter_input(INPUT_POST, 'adresse', FILTER_VALIDATE_EMAIL);
+$commentaires = filter_input(INPUT_POST, 'commentaires', FILTER_SANITIZE_STRING);
+$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
+$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
+
 
 // On initialise également les autres variables
 $erreur_adresse = false;