From 1e2877e863e484e0f70e53ac872f8e58a8df78ea Mon Sep 17 00:00:00 2001
From: Olivier PEREZ <olivier@olivierperez.fr>
Date: Mon, 5 Jan 2015 23:30:47 +0100
Subject: [PATCH] Don't encode to HTML value before storing it to database
---
.../Framadate/Services/InputService.php | 2 +-
choix_autre.php | 3 ++-
choix_date.php | 4 +++-
infos_sondage.php | 19 +++++++++----------
4 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/app/classes/Framadate/Services/InputService.php b/app/classes/Framadate/Services/InputService.php
index d985bb5e..aafed00d 100644
--- a/app/classes/Framadate/Services/InputService.php
+++ b/app/classes/Framadate/Services/InputService.php
@@ -29,7 +29,7 @@ class InputService {
* This method filter an array calling "filter_var" on each items.
* Only items validated are added at their own indexes, the others are not returned.
*/
- function filterArray(array $arr, $type, $options) {
+ function filterArray(array $arr, $type, $options = null) {
$newArr = [];
foreach($arr as $id=>$item) {
diff --git a/choix_autre.php b/choix_autre.php
index 586bc528..95ba3cda 100644
--- a/choix_autre.php
+++ b/choix_autre.php
@@ -134,7 +134,8 @@ if (empty($_SESSION['form']->title) || empty($_SESSION['form']->admin_name) || (
$_SESSION['form']->clearChoices();
foreach ($_POST['choices'] as $c) {
if (!empty($c)) {
- $choice = new Choice(htmlentities(html_entity_decode($c, ENT_QUOTES, 'UTF-8'), ENT_QUOTES, 'UTF-8'));
+ $c = filter_var($c, FILTER_SANITIZE_STRING);
+ $choice = new Choice($c);
$_SESSION['form']->addChoice($choice);
}
}
diff --git a/choix_date.php b/choix_date.php
index 9c0ae499..5170306e 100644
--- a/choix_date.php
+++ b/choix_date.php
@@ -16,6 +16,7 @@
* Auteurs de STUdS (projet initial) : Guilhem BORGHESI (borghesi@unistra.fr) et Raphaël DROZ
* Auteurs de Framadate/OpenSondage : Framasoft (https://github.com/framasoft https://git.framasoft.org/framasoft/framadate/)
*/
+use Framadate\Services\InputService;
use Framadate\Services\LogService;
use Framadate\Services\PollService;
use Framadate\Services\MailService;
@@ -31,6 +32,7 @@ $logService = new LogService(LOG_FILE);
$pollService = new PollService($connect, $logService);
$mailService = new MailService($config['use_smtp']);
$purgeService = new PurgeService($connect, $logService);
+$inputService = new InputService();
if (is_readable('bandeaux_local.php')) {
include_once('bandeaux_local.php');
@@ -135,7 +137,7 @@ if (!isset($_SESSION['form']->title) || !isset($_SESSION['form']->admin_name) ||
$choice = new Choice($time);
$_SESSION['form']->addChoice($choice);
- $schedules = $_POST['horaires'.$i];
+ $schedules = $inputService->filterArray($_POST['horaires'.$i], FILTER_DEFAULT);
for($j = 0; $j < count($schedules); $j++) {
if (!empty($schedules[$j])) {
$choice->addSlot($schedules[$j]);
diff --git a/infos_sondage.php b/infos_sondage.php
index da951046..b98ccd3b 100644
--- a/infos_sondage.php
+++ b/infos_sondage.php
@@ -40,16 +40,15 @@ if ((isset($_GET['choix_sondage']) && $_GET['choix_sondage'] == 'date') ||
$_SESSION['form']->choix_sondage = $choix_sondage;
}
-// On teste toutes les variables pour supprimer l'ensemble des warnings PHP
-// On transforme en entites html les données afin éviter les failles XSS
-$post_var = array('poursuivre', 'titre', 'nom', 'adresse', 'commentaires', 'editable', 'receiveNewVotes', 'creation_sondage_date', 'creation_sondage_autre');
-foreach ($post_var as $var) {
- if (isset($_POST[$var]) === true) {
- $$var = htmlentities($_POST[$var], ENT_QUOTES, 'UTF-8');
- } else {
- $$var = null;
- }
-}
+// We clean the data
+$poursuivre = filter_input(INPUT_POST, 'poursuivre', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(creation_sondage_date|creation_sondage_autre)$/']]);
+$titre = filter_input(INPUT_POST, 'titre', FILTER_SANITIZE_STRING);
+$nom = filter_input(INPUT_POST, 'nom', FILTER_SANITIZE_STRING);
+$adresse = filter_input(INPUT_POST, 'adresse', FILTER_VALIDATE_EMAIL);
+$commentaires = filter_input(INPUT_POST, 'commentaires', FILTER_SANITIZE_STRING);
+$editable = filter_input(INPUT_POST, 'editable', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
+$receiveNewVotes = filter_input(INPUT_POST, 'receiveNewVotes', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^(on|off|true|false|1|0)$/']]);
+
// On initialise également les autres variables
$erreur_adresse = false;
--
GitLab