Forbid URLs to be inserted into Name fields

PrestaShop · Apr 24, 2019 · 8b61a9c · 8b61a9c
1 parent 199d56f
commit 8b61a9c
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 7 deletions.
diff --git a/classes/Validate.php b/classes/Validate.php
@@ -157,15 +157,31 @@ public static function isImageSize($size)
     }
 
     /**
-     * Check for name validity.
+     * Check whether given name is valid
      *
      * @param string $name Name to validate
      *
-     * @return bool Validity is ok or not
+     * @return int 1 if given input is a name, 0 else
      */
     public static function isName($name)
     {
-        return preg_match(Tools::cleanNonUnicodeSupport('/^[^0-9!<>,;?=+()@#"°{}_$%:¤|]*$/u'), stripslashes($name));
+        $cleanName = stripslashes($name);
+
+        if (false !== strpos($cleanName, '/')) {
+            return 0;
+        }
+
+        $dotCharacters = array('.', '。');
+        foreach ($dotCharacters as $dotCharacter) {
+            $dotPosition = strpos($cleanName, $dotCharacter);
+            if (false !== $dotPosition && isset($cleanName[$dotPosition+1]) && ($cleanName[$dotPosition+1] !== ' ')) {
+                return 0;
+            }
+        }
+
+        $validityPattern = Tools::cleanNonUnicodeSupport('/^[^0-9!<>,;?=+()@#"°{}_$%:¤|]*$/u');
+
+        return preg_match($validityPattern, $cleanName);
     }
 
     /**

diff --git a/tests/Unit/Classes/ValidateCoreTest.php b/tests/Unit/Classes/ValidateCoreTest.php
@@ -90,6 +90,14 @@ public function testIsSha1($expected, $input)
         $this->assertSame($expected, Validate::isSha1($input));
     }
 
+    /**
+     * @dataProvider isNameDataProvider
+     */
+    public function testIsName($expected, $input)
+    {
+        $this->assertSame($expected, Validate::isName($input));
+    }
+
     /**
      * @dataProvider isFloatDataProvider
      */
@@ -107,7 +115,7 @@ public function testIsUnsignedFloat($expected, $input)
     }
 
     /**
-     * @depends testIsFloat
+     * @depends      testIsFloat
      * @dataProvider isOptFloatDataProvider
      */
     public function testIsOptFloat($expected, $input)
@@ -149,6 +157,26 @@ public function isSha1DataProvider()
         );
     }
 
+    public function isNameDataProvider()
+    {
+        return array(
+            array(1, 'Mathieu'),
+            array(1, 'Dupont'),
+            array(1, 'Jaçinthé'),
+            array(1, 'John D.'),
+            array(1, 'John D. John'),
+            array(1, 'ÃƒÆ’Ã‚Â¢ÃƒÂ¢Ã¢â'),
+            array(0, 'https://www.website.com'),
+            array(0, 'www.website.com'),
+            array(0, 'website。com'),
+            array(0, 'website%2Ecom'),
+            array(0, 'website/./com'),
+            array(0, '.rn'),
+            array(0, 'websitecom/a'),
+            array(0, 'websitecom%20a'),
+        );
+    }
+
     public function isEmailDataProvider()
     {
         return array(
@@ -213,7 +241,7 @@ public function isUnsignedFloatDataProvider()
             $this->trueFloatDataProvider(),
             array(
                 array(false, -12.2151),
-                array(false, -12,2151),
+                array(false, -12, 2151),
                 array(false, '-12.2151'),
                 array(false, ''),
                 array(false, 'A'),
@@ -227,7 +255,7 @@ public function trueFloatDataProvider()
         return array(
             array(true, 12),
             array(true, 12.2151),
-            array(true, 12,2151),
+            array(true, 12, 2151),
             array(true, '12.2151'),
         );
     }
@@ -238,7 +266,7 @@ public function isFloatDataProvider()
             $this->trueFloatDataProvider(),
             array(
                 array(true, -12.2151),
-                array(true, -12,2151),
+                array(true, -12, 2151),
                 array(true, '-12.2151'),
                 array(false, ''),
                 array(false, 'A'),