Refactor the input filter system

This commit is contained in:
Olivier PEREZ 2015-04-11 16:02:07 +02:00
parent 39c041135a
commit 201d5168fe
6 changed files with 77 additions and 37 deletions

View File

@ -39,7 +39,8 @@ $securityService = new SecurityService();
/* POST */ /* POST */
/*-----*/ /*-----*/
$action = filter_input(INPUT_POST, 'action', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
$action = $inputService->filterName($_POST['action']);
/* PAGE */ /* PAGE */
/* ---- */ /* ---- */

View File

@ -69,19 +69,19 @@ if (isset($_POST['update_poll_info'])) {
// Update the right poll field // Update the right poll field
if ($field == 'title') { if ($field == 'title') {
$title = strip_tags($_POST['title']); $title = $inputService->filterTitle($_POST['title']);
if ($title) { if ($title) {
$poll->title = $title; $poll->title = $title;
$updated = true; $updated = true;
} }
} elseif ($field == 'admin_mail') { } elseif ($field == 'admin_mail') {
$admin_mail = filter_input(INPUT_POST, 'admin_mail', FILTER_VALIDATE_EMAIL); $admin_mail = $inputService->filterMail($_POST['admin_mail']);
if ($admin_mail) { if ($admin_mail) {
$poll->admin_mail = $admin_mail; $poll->admin_mail = $admin_mail;
$updated = true; $updated = true;
} }
} elseif ($field == 'description') { } elseif ($field == 'description') {
$description = strip_tags($_POST['description']); $description = $inputService->filterDescription($_POST['description']);
if ($description) { if ($description) {
$poll->description = $description; $poll->description = $description;
$updated = true; $updated = true;
@ -117,14 +117,13 @@ if (isset($_POST['update_poll_info'])) {
$updated = true; $updated = true;
} }
} elseif ($field == 'name') { } elseif ($field == 'name') {
$admin_name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $admin_name = $inputService->filterName($_POST['name']);
if ($admin_name) { if ($admin_name) {
$poll->admin_name = $admin_name; $poll->admin_name = $admin_name;
$updated = true; $updated = true;
} }
} elseif ($field == 'hidden') { } elseif ($field == 'hidden') {
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]); $hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
$hidden = $hidden==null?false:true;
if ($hidden != $poll->hidden) { if ($hidden != $poll->hidden) {
$poll->hidden = $hidden; $poll->hidden = $hidden;
$updated = true; $updated = true;
@ -153,7 +152,7 @@ if (!empty($_GET['vote'])) {
// ------------------------------- // -------------------------------
if (!empty($_POST['save'])) { // Save edition of an old vote if (!empty($_POST['save'])) { // Save edition of an old vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $name = $inputService->filterName($_POST['name']);
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT); $editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]); $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
@ -174,7 +173,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
} }
} }
} elseif (isset($_POST['save'])) { // Add a new vote } elseif (isset($_POST['save'])) { // Add a new vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $name = $inputService->filterName($_POST['name']);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]); $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($name)) { if (empty($name)) {
@ -232,8 +231,8 @@ if (isset($_POST['confirm_remove_all_votes'])) {
// ------------------------------- // -------------------------------
if (isset($_POST['add_comment'])) { if (isset($_POST['add_comment'])) {
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $name = $inputService->filterName($_POST['name']);
$comment = strip_tags($_POST['comment']); $comment = $inputService->filterComment($_POST['comment']);
if (empty($name)) { if (empty($name)) {
$message = new Message('danger', __('Error', 'The name is invalid')); $message = new Message('danger', __('Error', 'The name is invalid'));

View File

@ -50,4 +50,33 @@ class InputService {
return in_array($value, $allowedValues, true) ? $value : null; return in_array($value, $allowedValues, true) ? $value : null;
} }
public function filterTitle($title) {
return filter_var($title, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => TITLE_REGEX]]);
}
public function filterName($name) {
return filter_var($name, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
}
public function filterMail($mail) {
return filter_var($mail, FILTER_VALIDATE_EMAIL);
}
public function filterDescription($description) {
$description = str_replace("\r\n", "\n", $description);
return filter_var($description, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => DESCRIPTION_REGEX]]);
}
public function filterBoolean($boolean) {
return !!filter_var($boolean, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_TRUE_REGEX]]);
}
public function filterEditable($editable) {
return filter_var($editable, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
}
public function filterComment($comment) {
return filter_var($comment, FILTER_SANITIZE_STRING);
}
} }

View File

@ -21,10 +21,14 @@
const VERSION = '0.9'; const VERSION = '0.9';
// Regex // Regex
const POLL_REGEX = '/^[a-zA-Z0-9]+$/'; const POLL_REGEX = '/^[a-z0-9]+$/i';
const CHOICE_REGEX = '/^[012]$/'; const CHOICE_REGEX = '/^[012]$/';
const NAME_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9_ -]+$/i'; const NAME_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9_ -]+$/i';
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/'; const TITLE_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &"\'(_)=~#{|`^@}$[\\]\\\\,;:!?.*-]+$/i';
const DESCRIPTION_REGEX = "/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &\"'(_)=~#{|`^@}$[\\]\\\\,;:!?.*\n-]+$/i";
const COMMENT_REGEX = DESCRIPTION_REGEX;
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/i';
const BOOLEAN_TRUE_REGEX = '/^(on|true|1)$/i';
const EDITABLE_CHOICE_REGEX = '/^[0-2]$/'; const EDITABLE_CHOICE_REGEX = '/^[0-2]$/';
// CSRF (300s = 5min) // CSRF (300s = 5min)

View File

@ -18,13 +18,22 @@
*/ */
use Framadate\Form; use Framadate\Form;
use Framadate\Editable; use Framadate\Services\InputService;
use Framadate\Utils; use Framadate\Utils;
include_once __DIR__ . '/app/inc/init.php'; include_once __DIR__ . '/app/inc/init.php';
const GO_TO_STEP_2 = 'gotostep2'; const GO_TO_STEP_2 = 'gotostep2';
/* Services */
/*----------*/
$inputService = new InputService();
/* PAGE */
/* ---- */
if (!isset($_SESSION['form'])) { if (!isset($_SESSION['form'])) {
$_SESSION['form'] = new Form(); $_SESSION['form'] = new Form();
} }
@ -42,32 +51,30 @@ if (isset($_GET['type']) && $_GET['type'] == 'date' ||
// We clean the data // We clean the data
$goToStep2 = filter_input(INPUT_POST, GO_TO_STEP_2, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(date|classic)$/']]); $goToStep2 = filter_input(INPUT_POST, GO_TO_STEP_2, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(date|classic)$/']]);
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING); if ($goToStep2) {
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $title = $inputService->filterTitle($_POST['title']);
$mail = filter_input(INPUT_POST, 'mail', FILTER_VALIDATE_EMAIL); $name = $inputService->filterName($_POST['name']);
$description = filter_input(INPUT_POST, 'description', FILTER_SANITIZE_STRING); $mail = $inputService->filterMail($_POST['mail']);
$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]); $description = $inputService->filterDescription($_POST['description']);
$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]); $editable = $inputService->filterEditable($_POST['editable']);
$receiveNewComments = filter_input(INPUT_POST, 'receiveNewComments', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]); $receiveNewVotes = isset($_POST['receiveNewVotes']) ? $inputService->filterBoolean($_POST['receiveNewVotes']) : false;
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]); $receiveNewComments = isset($_POST['receiveNewComments']) ? $inputService->filterBoolean($_POST['receiveNewComments']) : false;
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
// On initialise également les autres variables
$error_on_mail = false;
$error_on_title = false;
$error_on_name = false;
$error_on_description = false;
// On initialise <20>galement les autres variables
$error_on_mail = false;
$error_on_title = false;
$error_on_name = false;
$error_on_description = false;
if (!empty($_POST[GO_TO_STEP_2])) {
$_SESSION['form']->title = $title; $_SESSION['form']->title = $title;
$_SESSION['form']->admin_name = $name; $_SESSION['form']->admin_name = $name;
$_SESSION['form']->admin_mail = $mail; $_SESSION['form']->admin_mail = $mail;
$_SESSION['form']->description = $description; $_SESSION['form']->description = $description;
$_SESSION['form']->editable = $editable; $_SESSION['form']->editable = $editable;
$_SESSION['form']->receiveNewVotes = ($receiveNewVotes !== null); $_SESSION['form']->receiveNewVotes = $receiveNewVotes;
$_SESSION['form']->receiveNewComments = ($receiveNewComments !== null); $_SESSION['form']->receiveNewComments = $receiveNewComments;
$_SESSION['form']->hidden = ($hidden !== null); $_SESSION['form']->hidden = $hidden;
if ($config['use_smtp'] == true) { if ($config['use_smtp'] == true) {
if (empty($mail)) { if (empty($mail)) {

View File

@ -118,7 +118,7 @@ if (!empty($_GET['vote'])) {
// ------------------------------- // -------------------------------
if (!empty($_POST['save'])) { // Save edition of an old vote if (!empty($_POST['save'])) { // Save edition of an old vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $name = $inputService->filterName($_POST['name']);
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT); $editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]); $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
@ -146,7 +146,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
} }
} }
} elseif (isset($_POST['save'])) { // Add a new vote } elseif (isset($_POST['save'])) { // Add a new vote
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $name = $inputService->filterName($_POST['name']);
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]); $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($name)) { if (empty($name)) {
@ -178,8 +178,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
// ------------------------------- // -------------------------------
if (isset($_POST['add_comment'])) { if (isset($_POST['add_comment'])) {
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]); $name = $inputService->filterName($_POST['name']);
$comment = strip_tags($_POST['comment']); $comment = $inputService->filterComment($_POST['comment']);
if (empty($name)) { if (empty($name)) {
$message = new Message('danger', __('Error', 'Name is incorrect')); $message = new Message('danger', __('Error', 'Name is incorrect'));