Refactor the input filter system
This commit is contained in:
parent
39c041135a
commit
201d5168fe
@ -39,7 +39,8 @@ $securityService = new SecurityService();
|
||||
|
||||
/* POST */
|
||||
/*-----*/
|
||||
$action = filter_input(INPUT_POST, 'action', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
|
||||
$action = $inputService->filterName($_POST['action']);
|
||||
|
||||
/* PAGE */
|
||||
/* ---- */
|
||||
|
@ -69,19 +69,19 @@ if (isset($_POST['update_poll_info'])) {
|
||||
|
||||
// Update the right poll field
|
||||
if ($field == 'title') {
|
||||
$title = strip_tags($_POST['title']);
|
||||
$title = $inputService->filterTitle($_POST['title']);
|
||||
if ($title) {
|
||||
$poll->title = $title;
|
||||
$updated = true;
|
||||
}
|
||||
} elseif ($field == 'admin_mail') {
|
||||
$admin_mail = filter_input(INPUT_POST, 'admin_mail', FILTER_VALIDATE_EMAIL);
|
||||
$admin_mail = $inputService->filterMail($_POST['admin_mail']);
|
||||
if ($admin_mail) {
|
||||
$poll->admin_mail = $admin_mail;
|
||||
$updated = true;
|
||||
}
|
||||
} elseif ($field == 'description') {
|
||||
$description = strip_tags($_POST['description']);
|
||||
$description = $inputService->filterDescription($_POST['description']);
|
||||
if ($description) {
|
||||
$poll->description = $description;
|
||||
$updated = true;
|
||||
@ -117,14 +117,13 @@ if (isset($_POST['update_poll_info'])) {
|
||||
$updated = true;
|
||||
}
|
||||
} elseif ($field == 'name') {
|
||||
$admin_name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$admin_name = $inputService->filterName($_POST['name']);
|
||||
if ($admin_name) {
|
||||
$poll->admin_name = $admin_name;
|
||||
$updated = true;
|
||||
}
|
||||
} elseif ($field == 'hidden') {
|
||||
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
||||
$hidden = $hidden==null?false:true;
|
||||
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
|
||||
if ($hidden != $poll->hidden) {
|
||||
$poll->hidden = $hidden;
|
||||
$updated = true;
|
||||
@ -153,7 +152,7 @@ if (!empty($_GET['vote'])) {
|
||||
// -------------------------------
|
||||
|
||||
if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
|
||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||
|
||||
@ -174,7 +173,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||
}
|
||||
}
|
||||
} elseif (isset($_POST['save'])) { // Add a new vote
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||
|
||||
if (empty($name)) {
|
||||
@ -232,8 +231,8 @@ if (isset($_POST['confirm_remove_all_votes'])) {
|
||||
// -------------------------------
|
||||
|
||||
if (isset($_POST['add_comment'])) {
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$comment = strip_tags($_POST['comment']);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$comment = $inputService->filterComment($_POST['comment']);
|
||||
|
||||
if (empty($name)) {
|
||||
$message = new Message('danger', __('Error', 'The name is invalid'));
|
||||
|
@ -50,4 +50,33 @@ class InputService {
|
||||
return in_array($value, $allowedValues, true) ? $value : null;
|
||||
}
|
||||
|
||||
public function filterTitle($title) {
|
||||
return filter_var($title, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => TITLE_REGEX]]);
|
||||
}
|
||||
|
||||
public function filterName($name) {
|
||||
return filter_var($name, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
}
|
||||
|
||||
public function filterMail($mail) {
|
||||
return filter_var($mail, FILTER_VALIDATE_EMAIL);
|
||||
}
|
||||
|
||||
public function filterDescription($description) {
|
||||
$description = str_replace("\r\n", "\n", $description);
|
||||
return filter_var($description, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => DESCRIPTION_REGEX]]);
|
||||
}
|
||||
|
||||
public function filterBoolean($boolean) {
|
||||
return !!filter_var($boolean, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_TRUE_REGEX]]);
|
||||
}
|
||||
|
||||
public function filterEditable($editable) {
|
||||
return filter_var($editable, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
|
||||
}
|
||||
|
||||
public function filterComment($comment) {
|
||||
return filter_var($comment, FILTER_SANITIZE_STRING);
|
||||
}
|
||||
|
||||
}
|
@ -21,10 +21,14 @@
|
||||
const VERSION = '0.9';
|
||||
|
||||
// Regex
|
||||
const POLL_REGEX = '/^[a-zA-Z0-9]+$/';
|
||||
const POLL_REGEX = '/^[a-z0-9]+$/i';
|
||||
const CHOICE_REGEX = '/^[012]$/';
|
||||
const NAME_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9_ -]+$/i';
|
||||
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/';
|
||||
const TITLE_REGEX = '/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &"\'(_)=~#{|`^@}$[\\]\\\\,;:!?.*-]+$/i';
|
||||
const DESCRIPTION_REGEX = "/^[áàâäãåçéèêëíìîïñóòôöõúùûüýÿæœa-z0-9\\/ &\"'(_)=~#{|`^@}$[\\]\\\\,;:!?.*\n-]+$/i";
|
||||
const COMMENT_REGEX = DESCRIPTION_REGEX;
|
||||
const BOOLEAN_REGEX = '/^(on|off|true|false|1|0)$/i';
|
||||
const BOOLEAN_TRUE_REGEX = '/^(on|true|1)$/i';
|
||||
const EDITABLE_CHOICE_REGEX = '/^[0-2]$/';
|
||||
|
||||
// CSRF (300s = 5min)
|
||||
|
@ -18,13 +18,22 @@
|
||||
*/
|
||||
|
||||
use Framadate\Form;
|
||||
use Framadate\Editable;
|
||||
use Framadate\Services\InputService;
|
||||
use Framadate\Utils;
|
||||
|
||||
include_once __DIR__ . '/app/inc/init.php';
|
||||
|
||||
const GO_TO_STEP_2 = 'gotostep2';
|
||||
|
||||
|
||||
/* Services */
|
||||
/*----------*/
|
||||
|
||||
$inputService = new InputService();
|
||||
|
||||
/* PAGE */
|
||||
/* ---- */
|
||||
|
||||
if (!isset($_SESSION['form'])) {
|
||||
$_SESSION['form'] = new Form();
|
||||
}
|
||||
@ -42,32 +51,30 @@ if (isset($_GET['type']) && $_GET['type'] == 'date' ||
|
||||
|
||||
// We clean the data
|
||||
$goToStep2 = filter_input(INPUT_POST, GO_TO_STEP_2, FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(date|classic)$/']]);
|
||||
$title = filter_input(INPUT_POST, 'title', FILTER_SANITIZE_STRING);
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$mail = filter_input(INPUT_POST, 'mail', FILTER_VALIDATE_EMAIL);
|
||||
$description = filter_input(INPUT_POST, 'description', FILTER_SANITIZE_STRING);
|
||||
$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => EDITABLE_CHOICE_REGEX]]);
|
||||
$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
||||
$receiveNewComments = filter_input(INPUT_POST, 'receiveNewComments', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
||||
$hidden = filter_input(INPUT_POST, 'hidden', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => BOOLEAN_REGEX]]);
|
||||
if ($goToStep2) {
|
||||
$title = $inputService->filterTitle($_POST['title']);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$mail = $inputService->filterMail($_POST['mail']);
|
||||
$description = $inputService->filterDescription($_POST['description']);
|
||||
$editable = $inputService->filterEditable($_POST['editable']);
|
||||
$receiveNewVotes = isset($_POST['receiveNewVotes']) ? $inputService->filterBoolean($_POST['receiveNewVotes']) : false;
|
||||
$receiveNewComments = isset($_POST['receiveNewComments']) ? $inputService->filterBoolean($_POST['receiveNewComments']) : false;
|
||||
$hidden = isset($_POST['hidden']) ? $inputService->filterBoolean($_POST['hidden']) : false;
|
||||
|
||||
|
||||
// On initialise <20>galement les autres variables
|
||||
// On initialise également les autres variables
|
||||
$error_on_mail = false;
|
||||
$error_on_title = false;
|
||||
$error_on_name = false;
|
||||
$error_on_description = false;
|
||||
|
||||
|
||||
if (!empty($_POST[GO_TO_STEP_2])) {
|
||||
$_SESSION['form']->title = $title;
|
||||
$_SESSION['form']->admin_name = $name;
|
||||
$_SESSION['form']->admin_mail = $mail;
|
||||
$_SESSION['form']->description = $description;
|
||||
$_SESSION['form']->editable = $editable;
|
||||
$_SESSION['form']->receiveNewVotes = ($receiveNewVotes !== null);
|
||||
$_SESSION['form']->receiveNewComments = ($receiveNewComments !== null);
|
||||
$_SESSION['form']->hidden = ($hidden !== null);
|
||||
$_SESSION['form']->receiveNewVotes = $receiveNewVotes;
|
||||
$_SESSION['form']->receiveNewComments = $receiveNewComments;
|
||||
$_SESSION['form']->hidden = $hidden;
|
||||
|
||||
if ($config['use_smtp'] == true) {
|
||||
if (empty($mail)) {
|
||||
|
@ -118,7 +118,7 @@ if (!empty($_GET['vote'])) {
|
||||
// -------------------------------
|
||||
|
||||
if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
|
||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||
|
||||
@ -146,7 +146,7 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||
}
|
||||
}
|
||||
} elseif (isset($_POST['save'])) { // Add a new vote
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
|
||||
|
||||
if (empty($name)) {
|
||||
@ -178,8 +178,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
|
||||
// -------------------------------
|
||||
|
||||
if (isset($_POST['add_comment'])) {
|
||||
$name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
|
||||
$comment = strip_tags($_POST['comment']);
|
||||
$name = $inputService->filterName($_POST['name']);
|
||||
$comment = $inputService->filterComment($_POST['comment']);
|
||||
|
||||
if (empty($name)) {
|
||||
$message = new Message('danger', __('Error', 'Name is incorrect'));
|
||||
|
Loading…
Reference in New Issue
Block a user