Refactor the input filter system
This commit is contained in:
parent
39c041135a
commit
201d5168fe
@ -39,7 +39,8 @@ $securityService = new SecurityService();
|
|||||||
|
|
||||||
/* POST */
|
/* POST */
|
||||||
/*-----*/
|
/*-----*/
|
||||||
$action = filter_input(INPUT_POST, 'action', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
|
||||||
|
$action = $inputService->filterName($_POST['action']);
|
||||||
|
|
||||||
/* PAGE */
|
/* PAGE */
|
||||||
/* ---- */
|
/* ---- */
|
||||||
|
@ -69,19 +69,19 @@ if (isset($_POST['update_poll_info'])) {
|
|||||||
|
|
||||||
// Update the right poll field
|
// Update the right poll field
|
||||||
if ($field == 'title') {
|
if ($field == 'title') {
|
||||||
$title = strip_tags($_POST['title']);
|
$title = $inputService->filterTitle($_POST['title']);
|
||||||
if ($title) {
|
if ($title) {
|
||||||
$poll->title = $title;
|
$poll->title = $title;
|
||||||
$updated = true;
|
$updated = true;
|
||||||
}
|
}
|
||||||
} elseif ($field == 'admin_mail') {
|
} elseif ($field == 'admin_mail') {
|
||||||
$admin_mail = filter_input(INPUT_POST, 'admin_mail', FILTER_VALIDATE_EMAIL);
|
$admin_mail = $inputService->filterMail($_POST['admin_mail']);
|
||||||
if ($admin_mail) {
|
if ($admin_mail) {
|
||||||
$poll->admin_mail = $admin_mail;
|
$poll->admin_mail = $admin_mail;
|
||||||
$updated = true;
|
$updated = true;
|
||||||
}
|
}
|
||||||
} elseif ($field == 'description') {
|
} elseif ($field == 'description') {
|
||||||
$description = strip_tags($_POST['description']);
|
$description = $inputService->filterDescription($_POST['description']);
|
||||||
if ($description) {
|
if ($description) {
|
||||||
$poll->description = $description;
|
$poll->description = $description;
|
||||||
$updated = true;
|
$updated = true;
|
||||||
@ -117,14 +117,13 @@ if (isset($_POST['update_poll_info'])) {
|
|||||||
$updated = true;
|
$updated = true;
|
||||||
}
|
}
|
||||||
} elseif ($field == 'name') {
|
} elseif ($field == 'name') {
|
||||||
$admin_name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$admin_name = $inputService->filterName($_POST['name']);
|
||||||
if ($admin_name) {
|
if ($admin_name) {
|
||||||
$poll->admin_name = $admin_name;
|
$poll->admin_name = $admin_name;
|
||||||
$updated = true;
|
$updated = true;
|
||||||
}
|
}
|
||||||
} elseif ($field == 'hidden') {
|
} elseif ($field == 'hidden') {
|
||||||
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
|
||||||
$hidden = $hidden==null?false:true;
|
|
||||||
if ($hidden != $poll->hidden) {
|
if ($hidden != $poll->hidden) {
|
||||||
$poll->hidden = $hidden;
|
$poll->hidden = $hidden;
|
||||||
$updated = true;
|
$updated = true;
|
||||||
@ -153,7 +152,7 @@ if (!empty($_GET['vote'])) {
|
|||||||
// -------------------------------
|
// -------------------------------
|
||||||
|
|
||||||
if (!empty($_POST['save'])) { // Save edition of an old vote
|
if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
|
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
|
||||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||||
|
|
||||||
@ -174,7 +173,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
} elseif (isset($_POST['save'])) { // Add a new vote
|
} elseif (isset($_POST['save'])) { // Add a new vote
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||||
|
|
||||||
if (empty($name)) {
|
if (empty($name)) {
|
||||||
@ -232,8 +231,8 @@ if (isset($_POST['confirm_remove_all_votes'])) {
|
|||||||
// -------------------------------
|
// -------------------------------
|
||||||
|
|
||||||
if (isset($_POST['add_comment'])) {
|
if (isset($_POST['add_comment'])) {
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$comment = strip_tags($_POST['comment']);
|
$comment = $inputService->filterComment($_POST['comment']);
|
||||||
|
|
||||||
if (empty($name)) {
|
if (empty($name)) {
|
||||||
$message = new Message('danger', __('Error', 'The name is invalid'));
|
$message = new Message('danger', __('Error', 'The name is invalid'));
|
||||||
|
@ -50,4 +50,33 @@ class InputService {
|
|||||||
return in_array($value, $allowedValues, true) ? $value : null;
|
return in_array($value, $allowedValues, true) ? $value : null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function filterTitle($title) {
|
||||||
|
return filter_var($title, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => TITLE_REGEX]]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function filterName($name) {
|
||||||
|
return filter_var($name, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function filterMail($mail) {
|
||||||
|
return filter_var($mail, FILTER_VALIDATE_EMAIL);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function filterDescription($description) {
|
||||||
|
$description = str_replace("\r\n", "\n", $description);
|
||||||
|
return filter_var($description, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => DESCRIPTION_REGEX]]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function filterBoolean($boolean) {
|
||||||
|
return !!filter_var($boolean, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_TRUE_REGEX]]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function filterEditable($editable) {
|
||||||
|
return filter_var($editable, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function filterComment($comment) {
|
||||||
|
return filter_var($comment, FILTER_SANITIZE_STRING);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
@ -21,10 +21,14 @@
|
|||||||
const VERSION = '0.9';
|
const VERSION = '0.9';
|
||||||
|
|
||||||
// Regex
|
// Regex
|
||||||
const POLL_REGEX = '/^[a-zA-Z0-9]+$/';
|
const POLL_REGEX = '/^[a-z0-9]+$/i';
|
||||||
const CHOICE_REGEX = '/^[012]$/';
|
const CHOICE_REGEX = '/^[012]$/';
|
||||||
const NAME_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9_ -]+$/i';
|
const NAME_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9_ -]+$/i';
|
||||||
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/';
|
const TITLE_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &"\'(_)=~#{|`^@}$[\\]\\\\,;:!?.*-]+$/i';
|
||||||
|
const DESCRIPTION_REGEX = "/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &\"'(_)=~#{|`^@}$[\\]\\\\,;:!?.*\n-]+$/i";
|
||||||
|
const COMMENT_REGEX = DESCRIPTION_REGEX;
|
||||||
|
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/i';
|
||||||
|
const BOOLEAN_TRUE_REGEX = '/^(on|true|1)$/i';
|
||||||
const EDITABLE_CHOICE_REGEX = '/^[0-2]$/';
|
const EDITABLE_CHOICE_REGEX = '/^[0-2]$/';
|
||||||
|
|
||||||
// CSRF (300s = 5min)
|
// CSRF (300s = 5min)
|
||||||
|
@ -18,13 +18,22 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
use Framadate\Form;
|
use Framadate\Form;
|
||||||
use Framadate\Editable;
|
use Framadate\Services\InputService;
|
||||||
use Framadate\Utils;
|
use Framadate\Utils;
|
||||||
|
|
||||||
include_once __DIR__ . '/app/inc/init.php';
|
include_once __DIR__ . '/app/inc/init.php';
|
||||||
|
|
||||||
const GO_TO_STEP_2 = 'gotostep2';
|
const GO_TO_STEP_2 = 'gotostep2';
|
||||||
|
|
||||||
|
|
||||||
|
/* Services */
|
||||||
|
/*----------*/
|
||||||
|
|
||||||
|
$inputService = new InputService();
|
||||||
|
|
||||||
|
/* PAGE */
|
||||||
|
/* ---- */
|
||||||
|
|
||||||
if (!isset($_SESSION['form'])) {
|
if (!isset($_SESSION['form'])) {
|
||||||
$_SESSION['form'] = new Form();
|
$_SESSION['form'] = new Form();
|
||||||
}
|
}
|
||||||
@ -42,32 +51,30 @@ if (isset($_GET['type']) && $_GET['type'] == 'date' ||
|
|||||||
|
|
||||||
// We clean the data
|
// We clean the data
|
||||||
$goToStep2 = filter_input(INPUT_POST, GO_TO_STEP_2, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(date|classic)$/']]);
|
$goToStep2 = filter_input(INPUT_POST, GO_TO_STEP_2, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(date|classic)$/']]);
|
||||||
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);
|
if ($goToStep2) {
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$title = $inputService->filterTitle($_POST['title']);
|
||||||
$mail = filter_input(INPUT_POST, 'mail', FILTER_VALIDATE_EMAIL);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$description = filter_input(INPUT_POST, 'description', FILTER_SANITIZE_STRING);
|
$mail = $inputService->filterMail($_POST['mail']);
|
||||||
$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
|
$description = $inputService->filterDescription($_POST['description']);
|
||||||
$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
$editable = $inputService->filterEditable($_POST['editable']);
|
||||||
$receiveNewComments = filter_input(INPUT_POST, 'receiveNewComments', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
$receiveNewVotes = isset($_POST['receiveNewVotes']) ? $inputService->filterBoolean($_POST['receiveNewVotes']) : false;
|
||||||
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
$receiveNewComments = isset($_POST['receiveNewComments']) ? $inputService->filterBoolean($_POST['receiveNewComments']) : false;
|
||||||
|
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
|
||||||
|
|
||||||
|
// On initialise également les autres variables
|
||||||
// On initialise <20>galement les autres variables
|
|
||||||
$error_on_mail = false;
|
$error_on_mail = false;
|
||||||
$error_on_title = false;
|
$error_on_title = false;
|
||||||
$error_on_name = false;
|
$error_on_name = false;
|
||||||
$error_on_description = false;
|
$error_on_description = false;
|
||||||
|
|
||||||
|
|
||||||
if (!empty($_POST[GO_TO_STEP_2])) {
|
|
||||||
$_SESSION['form']->title = $title;
|
$_SESSION['form']->title = $title;
|
||||||
$_SESSION['form']->admin_name = $name;
|
$_SESSION['form']->admin_name = $name;
|
||||||
$_SESSION['form']->admin_mail = $mail;
|
$_SESSION['form']->admin_mail = $mail;
|
||||||
$_SESSION['form']->description = $description;
|
$_SESSION['form']->description = $description;
|
||||||
$_SESSION['form']->editable = $editable;
|
$_SESSION['form']->editable = $editable;
|
||||||
$_SESSION['form']->receiveNewVotes = ($receiveNewVotes !== null);
|
$_SESSION['form']->receiveNewVotes = $receiveNewVotes;
|
||||||
$_SESSION['form']->receiveNewComments = ($receiveNewComments !== null);
|
$_SESSION['form']->receiveNewComments = $receiveNewComments;
|
||||||
$_SESSION['form']->hidden = ($hidden !== null);
|
$_SESSION['form']->hidden = $hidden;
|
||||||
|
|
||||||
if ($config['use_smtp'] == true) {
|
if ($config['use_smtp'] == true) {
|
||||||
if (empty($mail)) {
|
if (empty($mail)) {
|
||||||
|
@ -118,7 +118,7 @@ if (!empty($_GET['vote'])) {
|
|||||||
// -------------------------------
|
// -------------------------------
|
||||||
|
|
||||||
if (!empty($_POST['save'])) { // Save edition of an old vote
|
if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
|
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
|
||||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||||
|
|
||||||
@ -146,7 +146,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
} elseif (isset($_POST['save'])) { // Add a new vote
|
} elseif (isset($_POST['save'])) { // Add a new vote
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||||
|
|
||||||
if (empty($name)) {
|
if (empty($name)) {
|
||||||
@ -178,8 +178,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
|
|||||||
// -------------------------------
|
// -------------------------------
|
||||||
|
|
||||||
if (isset($_POST['add_comment'])) {
|
if (isset($_POST['add_comment'])) {
|
||||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
$name = $inputService->filterName($_POST['name']);
|
||||||
$comment = strip_tags($_POST['comment']);
|
$comment = $inputService->filterComment($_POST['comment']);
|
||||||
|
|
||||||
if (empty($name)) {
|
if (empty($name)) {
|
||||||
$message = new Message('danger', __('Error', 'Name is incorrect'));
|
$message = new Message('danger', __('Error', 'Name is incorrect'));
|
||||||
|
Loading…
Reference in New Issue
Block a user