Don't encode to HTML value before storing it to database
This commit is contained in:
parent
b7e43fb271
commit
1e2877e863
@ -29,7 +29,7 @@ class InputService {
|
|||||||
* This method filter an array calling "filter_var" on each items.
|
* This method filter an array calling "filter_var" on each items.
|
||||||
* Only items validated are added at their own indexes, the others are not returned.
|
* Only items validated are added at their own indexes, the others are not returned.
|
||||||
*/
|
*/
|
||||||
function filterArray(array $arr, $type, $options) {
|
function filterArray(array $arr, $type, $options = null) {
|
||||||
$newArr = [];
|
$newArr = [];
|
||||||
|
|
||||||
foreach($arr as $id=>$item) {
|
foreach($arr as $id=>$item) {
|
||||||
|
@ -134,7 +134,8 @@ if (empty($_SESSION['form']->title) || empty($_SESSION['form']->admin_name) || (
|
|||||||
$_SESSION['form']->clearChoices();
|
$_SESSION['form']->clearChoices();
|
||||||
foreach ($_POST['choices'] as $c) {
|
foreach ($_POST['choices'] as $c) {
|
||||||
if (!empty($c)) {
|
if (!empty($c)) {
|
||||||
$choice = new Choice(htmlentities(html_entity_decode($c, ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8'));
|
$c = filter_var($c, FILTER_SANITIZE_STRING);
|
||||||
|
$choice = new Choice($c);
|
||||||
$_SESSION['form']->addChoice($choice);
|
$_SESSION['form']->addChoice($choice);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -16,6 +16,7 @@
|
|||||||
* Auteurs de STUdS (projet initial) : Guilhem BORGHESI (borghesi@unistra.fr) et Raphaël DROZ
|
* Auteurs de STUdS (projet initial) : Guilhem BORGHESI (borghesi@unistra.fr) et Raphaël DROZ
|
||||||
* Auteurs de Framadate/OpenSondage : Framasoft (https://github.com/framasoft https://git.framasoft.org/framasoft/framadate/)
|
* Auteurs de Framadate/OpenSondage : Framasoft (https://github.com/framasoft https://git.framasoft.org/framasoft/framadate/)
|
||||||
*/
|
*/
|
||||||
|
use Framadate\Services\InputService;
|
||||||
use Framadate\Services\LogService;
|
use Framadate\Services\LogService;
|
||||||
use Framadate\Services\PollService;
|
use Framadate\Services\PollService;
|
||||||
use Framadate\Services\MailService;
|
use Framadate\Services\MailService;
|
||||||
@ -31,6 +32,7 @@ $logService = new LogService(LOG_FILE);
|
|||||||
$pollService = new PollService($connect, $logService);
|
$pollService = new PollService($connect, $logService);
|
||||||
$mailService = new MailService($config['use_smtp']);
|
$mailService = new MailService($config['use_smtp']);
|
||||||
$purgeService = new PurgeService($connect, $logService);
|
$purgeService = new PurgeService($connect, $logService);
|
||||||
|
$inputService = new InputService();
|
||||||
|
|
||||||
if (is_readable('bandeaux_local.php')) {
|
if (is_readable('bandeaux_local.php')) {
|
||||||
include_once('bandeaux_local.php');
|
include_once('bandeaux_local.php');
|
||||||
@ -135,7 +137,7 @@ if (!isset($_SESSION['form']->title) || !isset($_SESSION['form']->admin_name) ||
|
|||||||
$choice = new Choice($time);
|
$choice = new Choice($time);
|
||||||
$_SESSION['form']->addChoice($choice);
|
$_SESSION['form']->addChoice($choice);
|
||||||
|
|
||||||
$schedules = $_POST['horaires'.$i];
|
$schedules = $inputService->filterArray($_POST['horaires'.$i], FILTER_DEFAULT);
|
||||||
for($j = 0; $j < count($schedules); $j++) {
|
for($j = 0; $j < count($schedules); $j++) {
|
||||||
if (!empty($schedules[$j])) {
|
if (!empty($schedules[$j])) {
|
||||||
$choice->addSlot($schedules[$j]);
|
$choice->addSlot($schedules[$j]);
|
||||||
|
@ -40,16 +40,15 @@ if ((isset($_GET['choix_sondage']) && $_GET['choix_sondage'] == 'date') ||
|
|||||||
$_SESSION['form']->choix_sondage = $choix_sondage;
|
$_SESSION['form']->choix_sondage = $choix_sondage;
|
||||||
}
|
}
|
||||||
|
|
||||||
// On teste toutes les variables pour supprimer l'ensemble des warnings PHP
|
// We clean the data
|
||||||
// On transforme en entites html les données afin éviter les failles XSS
|
$poursuivre = filter_input(INPUT_POST, 'poursuivre', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(creation_sondage_date|creation_sondage_autre)$/']]);
|
||||||
$post_var = array('poursuivre', 'titre', 'nom', 'adresse', 'commentaires', 'editable', 'receiveNewVotes', 'creation_sondage_date', 'creation_sondage_autre');
|
$titre = filter_input(INPUT_POST, 'titre', FILTER_SANITIZE_STRING);
|
||||||
foreach ($post_var as $var) {
|
$nom = filter_input(INPUT_POST, 'nom', FILTER_SANITIZE_STRING);
|
||||||
if (isset($_POST[$var]) === true) {
|
$adresse = filter_input(INPUT_POST, 'adresse', FILTER_VALIDATE_EMAIL);
|
||||||
$$var = htmlentities($_POST[$var], ENT_QUOTES, 'UTF-8');
|
$commentaires = filter_input(INPUT_POST, 'commentaires', FILTER_SANITIZE_STRING);
|
||||||
} else {
|
$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
|
||||||
$$var = null;
|
$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// On initialise également les autres variables
|
// On initialise également les autres variables
|
||||||
$erreur_adresse = false;
|
$erreur_adresse = false;
|
||||||
|
Loading…
Reference in New Issue
Block a user