Chapril/date.chapril.org-framadate
Chapril/date.chapril.org-framadate
24
1
Fork 0
Code Issues Pull Requests Releases Activity

Refactor the input filter system

Browse Source
This commit is contained in:
Olivier PEREZ 2015-04-11 16:02:07 +02:00
parent 39c041135a
commit 201d5168fe
6 changed files with 77 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
admin/purge.php
View File

@ -39,7 +39,8 @@ $securityService = new SecurityService();
/* POST */
/*-----*/
$action = filter_input(INPUT_POST, 'action', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$action = $inputService->filterName($_POST['action']);
/* PAGE */
/* ---- */

19
adminstuds.php
View File

@ -69,19 +69,19 @@ if (isset($_POST['update_poll_info'])) {
// Update the right poll field
if ($field == 'title') {
$title = strip_tags($_POST['title']);
$title = $inputService->filterTitle($_POST['title']);
if ($title) {
$poll->title = $title;
$updated = true;
}
} elseif ($field == 'admin_mail') {
$admin_mail = filter_input(INPUT_POST, 'admin_mail', FILTER_VALIDATE_EMAIL);
$admin_mail = $inputService->filterMail($_POST['admin_mail']);
if ($admin_mail) {
$poll->admin_mail = $admin_mail;
$updated = true;
}
} elseif ($field == 'description') {
$description = strip_tags($_POST['description']);
$description = $inputService->filterDescription($_POST['description']);
if ($description) {
$poll->description = $description;
$updated = true;
@ -117,14 +117,13 @@ if (isset($_POST['update_poll_info'])) {
$updated = true;
}
} elseif ($field == 'name') {
$admin_name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$admin_name = $inputService->filterName($_POST['name']);
if ($admin_name) {
$poll->admin_name = $admin_name;
$updated = true;
}
} elseif ($field == 'hidden') {
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
$hidden = $hidden==null?false:true;
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
if ($hidden != $poll->hidden) {
$poll->hidden = $hidden;
$updated = true;
@ -153,7 +152,7 @@ if (!empty($_GET['vote'])) {
// -------------------------------
if (!empty($_POST['save'])) { // Save edition of an old vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$name = $inputService->filterName($_POST['name']);
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
@ -174,7 +173,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
}
}
} elseif (isset($_POST['save'])) { // Add a new vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$name = $inputService->filterName($_POST['name']);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($name)) {
@ -232,8 +231,8 @@ if (isset($_POST['confirm_remove_all_votes'])) {
// -------------------------------
if (isset($_POST['add_comment'])) {
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$comment = strip_tags($_POST['comment']);
$name = $inputService->filterName($_POST['name']);
$comment = $inputService->filterComment($_POST['comment']);
if (empty($name)) {
$message = new Message('danger', __('Error', 'The name is invalid'));

29
app/classes/Framadate/Services/InputService.php
View File

@ -50,4 +50,33 @@ class InputService {
return in_array($value, $allowedValues, true) ? $value : null;
}
public function filterTitle($title) {
return filter_var($title, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => TITLE_REGEX]]);
}
public function filterName($name) {
return filter_var($name, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
}
public function filterMail($mail) {
return filter_var($mail, FILTER_VALIDATE_EMAIL);
}
public function filterDescription($description) {
$description = str_replace("\r\n", "\n", $description);
return filter_var($description, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => DESCRIPTION_REGEX]]);
}
public function filterBoolean($boolean) {
return !!filter_var($boolean, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_TRUE_REGEX]]);
}
public function filterEditable($editable) {
return filter_var($editable, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
}
public function filterComment($comment) {
return filter_var($comment, FILTER_SANITIZE_STRING);
}
}

8
app/inc/constants.php
View File

@ -21,10 +21,14 @@
const VERSION = '0.9';
// Regex
const POLL_REGEX = '/^[a-zA-Z0-9]+$/';
const POLL_REGEX = '/^[a-z0-9]+$/i';
const CHOICE_REGEX = '/^[012]$/';
const NAME_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9_ -]+$/i';
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/';
const TITLE_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &"\'(_)=~#{|`^@}$[\\]\\\\,;:!?.*-]+$/i';
const DESCRIPTION_REGEX = "/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &\"'(_)=~#{|`^@}$[\\]\\\\,;:!?.*\n-]+$/i";
const COMMENT_REGEX = DESCRIPTION_REGEX;
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/i';
const BOOLEAN_TRUE_REGEX = '/^(on|true|1)$/i';
const EDITABLE_CHOICE_REGEX = '/^[0-2]$/';
// CSRF (300s = 5min)

47
create_poll.php
View File

@ -18,13 +18,22 @@
*/
use Framadate\Form;
use Framadate\Editable;
use Framadate\Services\InputService;
use Framadate\Utils;
include_once __DIR__ . '/app/inc/init.php';
const GO_TO_STEP_2 = 'gotostep2';
/* Services */
/*----------*/
$inputService = new InputService();
/* PAGE */
/* ---- */
if (!isset($_SESSION['form'])) {
$_SESSION['form'] = new Form();
}
@ -42,32 +51,30 @@ if (isset($_GET['type']) && $_GET['type'] == 'date' ||
// We clean the data
$goToStep2 = filter_input(INPUT_POST, GO_TO_STEP_2, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(date|classic)$/']]);
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$mail = filter_input(INPUT_POST, 'mail', FILTER_VALIDATE_EMAIL);
$description = filter_input(INPUT_POST, 'description', FILTER_SANITIZE_STRING);
$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
$receiveNewComments = filter_input(INPUT_POST, 'receiveNewComments', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
if ($goToStep2) {
$title = $inputService->filterTitle($_POST['title']);
$name = $inputService->filterName($_POST['name']);
$mail = $inputService->filterMail($_POST['mail']);
$description = $inputService->filterDescription($_POST['description']);
$editable = $inputService->filterEditable($_POST['editable']);
$receiveNewVotes = isset($_POST['receiveNewVotes']) ? $inputService->filterBoolean($_POST['receiveNewVotes']) : false;
$receiveNewComments = isset($_POST['receiveNewComments']) ? $inputService->filterBoolean($_POST['receiveNewComments']) : false;
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
// On initialise également les autres variables
$error_on_mail = false;
$error_on_title = false;
$error_on_name = false;
$error_on_description = false;
// On initialise <20>galement les autres variables
$error_on_mail = false;
$error_on_title = false;
$error_on_name = false;
$error_on_description = false;
if (!empty($_POST[GO_TO_STEP_2])) {
$_SESSION['form']->title = $title;
$_SESSION['form']->admin_name = $name;
$_SESSION['form']->admin_mail = $mail;
$_SESSION['form']->description = $description;
$_SESSION['form']->editable = $editable;
$_SESSION['form']->receiveNewVotes = ($receiveNewVotes !== null);
$_SESSION['form']->receiveNewComments = ($receiveNewComments !== null);
$_SESSION['form']->hidden = ($hidden !== null);
$_SESSION['form']->receiveNewVotes = $receiveNewVotes;
$_SESSION['form']->receiveNewComments = $receiveNewComments;
$_SESSION['form']->hidden = $hidden;
if ($config['use_smtp'] == true) {
if (empty($mail)) {

8
studs.php
View File

@ -118,7 +118,7 @@ if (!empty($_GET['vote'])) {
// -------------------------------
if (!empty($_POST['save'])) { // Save edition of an old vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$name = $inputService->filterName($_POST['name']);
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
@ -146,7 +146,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
}
}
} elseif (isset($_POST['save'])) { // Add a new vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$name = $inputService->filterName($_POST['name']);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($name)) {
@ -178,8 +178,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
// -------------------------------
if (isset($_POST['add_comment'])) {
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$comment = strip_tags($_POST['comment']);
$name = $inputService->filterName($_POST['name']);
$comment = $inputService->filterComment($_POST['comment']);
if (empty($name)) {
$message = new Message('danger', __('Error', 'Name is incorrect'));