diff --git a/adminstuds.php b/adminstuds.php
index 8de758c39af4f58941a80b033e83e68689fd8549..1cdff560d9a62945777bc218443607f952977360 100644
--- a/adminstuds.php
+++ b/adminstuds.php
@@ -46,7 +46,7 @@ $inputService = new InputService();
/* ---- */
if (!empty($_GET['poll']) && strlen($_GET['poll']) === 24) {
- $admin_poll_id = filter_input(INPUT_GET, 'poll', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => '/^[a-z0-9]+$/']]);
+ $admin_poll_id = filter_input(INPUT_GET, 'poll', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => POLL_REGEX]]);
$poll_id = substr($admin_poll_id, 0, 16);
$poll = $pollService->findById($poll_id);
}
@@ -67,7 +67,7 @@ if (isset($_POST['update_poll_info'])) {
// Update the right poll field
if ($field == 'title') {
- $title = filter_input(INPUT_POST, 'title', FILTER_DEFAULT);
+ $title = strip_tags($_POST['title']);
if ($title) {
$poll->title = $title;
$updated = true;
@@ -79,13 +79,13 @@ if (isset($_POST['update_poll_info'])) {
$updated = true;
}
} elseif ($field == 'comment') {
- $comment = filter_input(INPUT_POST, 'comment', FILTER_DEFAULT);
+ $comment = strip_tags($_POST['comment']);
if ($comment) {
$poll->comment = $comment;
$updated = true;
}
} elseif ($field == 'rules') {
- $rules = filter_input(INPUT_POST, 'rules', FILTER_DEFAULT);
+ $rules = strip_tags($_POST['rules']);
switch ($rules) {
case 0:
$poll->active = false;
@@ -127,7 +127,7 @@ if (!empty($_POST['edit_vote'])) {
if (!empty($_POST['save'])) { // Save edition of an old vote
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
- $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[012]$/']]);
+ $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($editedVote)) {
$message = new Message('danger', _('Something is going wrong...'));
@@ -146,8 +146,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
}
}
} elseif (isset($_POST['save'])) { // Add a new vote
- $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[a-z0-9_ -]+$/i']]);
- $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[012]$/']]);
+ $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
+ $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($name)) {
$message = new Message('danger', _('Name is incorrect.'));
@@ -204,8 +204,8 @@ if (isset($_POST['confirm_remove_all_votes'])) {
// -------------------------------
if (isset($_POST['add_comment'])) {
- $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[a-z0-9_ -]+$/i']]);
- $comment = filter_input(INPUT_POST, 'comment', FILTER_DEFAULT);
+ $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
+ $comment = strip_tags($_POST['comment']);
if (empty($name)) {
$message = new Message('danger', _('Name is incorrect.'));
@@ -308,7 +308,7 @@ if (!empty($_POST['delete_column'])) {
}
// -------------------------------
-// Delete a slot
+// Add a slot
// -------------------------------
if (isset($_POST['add_slot'])) {
@@ -321,14 +321,14 @@ if (isset($_POST['add_slot'])) {
}
if (isset($_POST['confirm_add_slot'])) {
if ($poll->format === 'D') {
- $newdate = filter_input(INPUT_POST, 'newdate', FILTER_DEFAULT);
- $newmoment = filter_input(INPUT_POST, 'newmoment', FILTER_DEFAULT);
+ $newdate = strip_tags($_POST['newdate']);
+ $newmoment = strip_tags($_POST['newmoment']);
$ex = explode('/', $newdate);
$result = $adminPollService->addSlot($poll_id, mktime(0, 0, 0, $ex[1], $ex[0], $ex[2]), $newmoment);
} else {
- $newslot = filter_input(INPUT_POST, 'choice', FILTER_DEFAULT);
- $result = $adminPollService->addSlot($poll_id,$newslot, null);
+ $newslot = strip_tags($_POST['choice']);
+ $result = $adminPollService->addSlot($poll_id, $newslot, null);
}
if ($result) {
diff --git a/app/inc/constants.php.template b/app/inc/constants.php.template
index ca5db6a1996bcc256d4386e09c7a92f201cc6b28..d8faf3475fbeecd06b99bcab05ac44d8912f261d 100644
--- a/app/inc/constants.php.template
+++ b/app/inc/constants.php.template
@@ -55,6 +55,11 @@ $ALLOWED_LANGUAGES = [
'de_DE' => 'Deutsch',
];
+// Regex
+const POLL_REGEX = '/^[a-z0-9]+$/';
+const CHOICE_REGEX = '/^[012]$/';
+const NAME_REGEX = '/^[ a-z0-9_ -]+$/i';
+
// Path to logo
const LOGOBANDEAU = '<relative path to the logo file>';
diff --git a/choix_autre.php b/choix_autre.php
index e9bd1d1b9ed72c6db30b2ce682a9f1969f187d34..c16ed5076df92eb9633bed3f70c0e6c19320487f 100644
--- a/choix_autre.php
+++ b/choix_autre.php
@@ -134,7 +134,7 @@ if (empty($_SESSION['form']->title) || empty($_SESSION['form']->admin_name) || (
$_SESSION['form']->clearChoices();
foreach ($_POST['choices'] as $c) {
if (!empty($c)) {
- $c = filter_var($c, FILTER_SANITIZE_STRING);
+ $c = strip_tags($c);
$choice = new Choice($c);
$_SESSION['form']->addChoice($choice);
}
diff --git a/choix_date.php b/choix_date.php
index bfe079056d0b01fdc911dc4c5f0a6755d1c27e1a..b94658fc140045bbe41b8eff89348e20f7959245 100644
--- a/choix_date.php
+++ b/choix_date.php
@@ -140,7 +140,7 @@ if (!isset($_SESSION['form']->title) || !isset($_SESSION['form']->admin_name) ||
$schedules = $inputService->filterArray($_POST['horaires'.$i], FILTER_DEFAULT);
for($j = 0; $j < count($schedules); $j++) {
if (!empty($schedules[$j])) {
- $choice->addSlot($schedules[$j]);
+ $choice->addSlot(strip_tags($schedules[$j]));
}
}
}
diff --git a/studs.php b/studs.php
index b04ce05a69da177ac934bfb2c3fbc1d2ab9060aa..96b236063ae3076f082795be85a3a53152d69e82 100644
--- a/studs.php
+++ b/studs.php
@@ -53,7 +53,7 @@ $mailService = new MailService($config['use_smtp']);
function sendUpdateNotification($poll, $mailService) {
if ($poll->receiveNewVotes && !isset($_SESSION['mail_sent'][$poll->id])) {
- $subject = '[' . NOMAPPLICATION . '] ' . _('Poll\'s participation') . ' : ' . html_entity_decode($poll->title, ENT_QUOTES, 'UTF-8');
+ $subject = '[' . NOMAPPLICATION . '] ' . _('Poll\'s participation') . ' : ' . $poll->title;
$message = html_entity_decode('"$nom" ', ENT_QUOTES, 'UTF-8') .
_('has filled a line.\nYou can find your poll at the link') . " :\n\n" .
Utils::getUrlSondage($poll->admin_poll_id, true) . " \n\n" .
@@ -68,8 +68,8 @@ function sendUpdateNotification($poll, $mailService) {
/* PAGE */
/* ---- */
-if(!empty($_GET['poll'])) {
- $poll_id = filter_input(INPUT_GET, 'poll', FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[a-z0-9]+$/']]);
+if (!empty($_GET['poll'])) {
+ $poll_id = filter_input(INPUT_GET, 'poll', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => POLL_REGEX]]);
$poll = $pollService->findById($poll_id);
}
@@ -94,7 +94,7 @@ if (!empty($_POST['edit_vote'])) {
if (!empty($_POST['save'])) { // Save edition of an old vote
$editedVote = filter_input(INPUT_POST, 'save', FILTER_VALIDATE_INT);
- $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[012]$/']]);
+ $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($editedVote)) {
$message = new Message('danger', _('Something is going wrong...'));
@@ -114,8 +114,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
}
}
} elseif (isset($_POST['save'])) { // Add a new vote
- $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[a-z0-9_ -]+$/i']]);
- $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[012]$/']]);
+ $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
+ $choices = $inputService->filterArray($_POST['choices'], FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => CHOICE_REGEX]]);
if (empty($name)) {
$message = new Message('danger', _('Name is incorrect.'));
@@ -141,8 +141,8 @@ if (!empty($_POST['save'])) { // Save edition of an old vote
// -------------------------------
if (isset($_POST['add_comment'])) {
- $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options'=>['regexp'=>'/^[a-z0-9_ -]+$/i']]);
- $comment = filter_input(INPUT_POST, 'comment', FILTER_DEFAULT);
+ $name = filter_input(INPUT_POST, 'name', FILTER_VALIDATE_REGEXP, ['options' => ['regexp' => NAME_REGEX]]);
+ $comment = strip_tags($_POST['comment']);
if (empty($name)) {
$message = new Message('danger', _('Name is incorrect.'));