Chapril/date.chapril.org-framadate
Chapril/date.chapril.org-framadate
24
1
Fork 0
Code Issues Pull Requests Releases Activity

Don't encode to HTML value before storing it to database

Browse Source
This commit is contained in:
Olivier PEREZ 2015-01-05 23:30:47 +01:00
parent b7e43fb271
commit 1e2877e863
4 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/classes/Framadate/Services/InputService.php
View File

@ -29,7 +29,7 @@ class InputService {
* This method filter an array calling "filter_var" on each items.
* Only items validated are added at their own indexes, the others are not returned.
*/
function filterArray(array $arr, $type, $options) {
function filterArray(array $arr, $type, $options = null) {
$newArr = [];
foreach($arr as $id=>$item) {

3
choix_autre.php
View File

@ -134,7 +134,8 @@ if (empty($_SESSION['form']->title) || empty($_SESSION['form']->admin_name) || (
$_SESSION['form']->clearChoices();
foreach ($_POST['choices'] as $c) {
if (!empty($c)) {
$choice = new Choice(htmlentities(html_entity_decode($c, ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8'));
$c = filter_var($c, FILTER_SANITIZE_STRING);
$choice = new Choice($c);
$_SESSION['form']->addChoice($choice);
}
}

4
choix_date.php
View File

@ -16,6 +16,7 @@
* Auteurs de STUdS (projet initial) : Guilhem BORGHESI (borghesi@unistra.fr) et Raphaël DROZ
* Auteurs de Framadate/OpenSondage : Framasoft (https://github.com/framasoft https://git.framasoft.org/framasoft/framadate/)
*/
use Framadate\Services\InputService;
use Framadate\Services\LogService;
use Framadate\Services\PollService;
use Framadate\Services\MailService;
@ -31,6 +32,7 @@ $logService = new LogService(LOG_FILE);
$pollService = new PollService($connect, $logService);
$mailService = new MailService($config['use_smtp']);
$purgeService = new PurgeService($connect, $logService);
$inputService = new InputService();
if (is_readable('bandeaux_local.php')) {
include_once('bandeaux_local.php');
@ -135,7 +137,7 @@ if (!isset($_SESSION['form']->title) || !isset($_SESSION['form']->admin_name) ||
$choice = new Choice($time);
$_SESSION['form']->addChoice($choice);
$schedules = $_POST['horaires'.$i];
$schedules = $inputService->filterArray($_POST['horaires'.$i], FILTER_DEFAULT);
for($j = 0; $j < count($schedules); $j++) {
if (!empty($schedules[$j])) {
$choice->addSlot($schedules[$j]);

19
infos_sondage.php
View File

@ -40,16 +40,15 @@ if ((isset($_GET['choix_sondage']) && $_GET['choix_sondage'] == 'date') ||
$_SESSION['form']->choix_sondage = $choix_sondage;
}
// On teste toutes les variables pour supprimer l'ensemble des warnings PHP
// On transforme en entites html les données afin éviter les failles XSS
$post_var = array('poursuivre', 'titre', 'nom', 'adresse', 'commentaires', 'editable', 'receiveNewVotes', 'creation_sondage_date', 'creation_sondage_autre');
foreach ($post_var as $var) {
if (isset($_POST[$var]) === true) {
$$var = htmlentities($_POST[$var], ENT_QUOTES, 'UTF-8');
} else {
$$var = null;
}
}
// We clean the data
$poursuivre = filter_input(INPUT_POST, 'poursuivre', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(creation_sondage_date|creation_sondage_autre)$/']]);
$titre = filter_input(INPUT_POST, 'titre', FILTER_SANITIZE_STRING);
$nom = filter_input(INPUT_POST, 'nom', FILTER_SANITIZE_STRING);
$adresse = filter_input(INPUT_POST, 'adresse', FILTER_VALIDATE_EMAIL);
$commentaires = filter_input(INPUT_POST, 'commentaires', FILTER_SANITIZE_STRING);
$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
// On initialise également les autres variables
$erreur_adresse = false;