Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: corrected sanitazing the string
  • Loading branch information
thorsten committed Mar 12, 2023
1 parent a264219 commit ecbd810
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 46 deletions.
32 changes: 16 additions & 16 deletions phpmyfaq/admin/record.add.php
Expand Up @@ -43,9 +43,9 @@

if ($user->perm->hasPermission($user->getUserId(), 'add_faq')) {
// FAQ data
$dateStart = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_UNSAFE_RAW);
$dateEnd = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_UNSAFE_RAW);
$question = Filter::filterInput(INPUT_POST, 'question', FILTER_UNSAFE_RAW);
$dateStart = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_SANITIZE_SPECIAL_CHARS);
$dateEnd = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_SANITIZE_SPECIAL_CHARS);
$question = Filter::filterInput(INPUT_POST, 'question', FILTER_SANITIZE_SPECIAL_CHARS);
$categories = Filter::filterInputArray(
INPUT_POST,
[
Expand All @@ -55,25 +55,25 @@
],
]
);
$recordLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
$tags = Filter::filterInput(INPUT_POST, 'tags', FILTER_UNSAFE_RAW);
$active = Filter::filterInput(INPUT_POST, 'active', FILTER_UNSAFE_RAW);
$sticky = Filter::filterInput(INPUT_POST, 'sticky', FILTER_UNSAFE_RAW);
$recordLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_SANITIZE_SPECIAL_CHARS);
$tags = Filter::filterInput(INPUT_POST, 'tags', FILTER_SANITIZE_SPECIAL_CHARS);
$active = Filter::filterInput(INPUT_POST, 'active', FILTER_SANITIZE_SPECIAL_CHARS);
$sticky = Filter::filterInput(INPUT_POST, 'sticky', FILTER_SANITIZE_SPECIAL_CHARS);
$content = Filter::filterInput(INPUT_POST, 'answer', FILTER_SANITIZE_SPECIAL_CHARS);
$keywords = Filter::filterInput(INPUT_POST, 'keywords', FILTER_UNSAFE_RAW);
$author = Filter::filterInput(INPUT_POST, 'author', FILTER_UNSAFE_RAW);
$keywords = Filter::filterInput(INPUT_POST, 'keywords', FILTER_SANITIZE_SPECIAL_CHARS);
$author = Filter::filterInput(INPUT_POST, 'author', FILTER_SANITIZE_SPECIAL_CHARS);
$email = Filter::filterInput(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$comment = Filter::filterInput(INPUT_POST, 'comment', FILTER_UNSAFE_RAW);
$comment = Filter::filterInput(INPUT_POST, 'comment', FILTER_SANITIZE_SPECIAL_CHARS);
$recordId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
$solutionId = Filter::filterInput(INPUT_POST, 'solution_id', FILTER_VALIDATE_INT);
$revisionId = Filter::filterInput(INPUT_POST, 'revision_id', FILTER_VALIDATE_INT);
$changed = Filter::filterInput(INPUT_POST, 'changed', FILTER_UNSAFE_RAW);
$date = Filter::filterInput(INPUT_POST, 'date', FILTER_UNSAFE_RAW);
$notes = Filter::filterInput(INPUT_POST, 'notes', FILTER_UNSAFE_RAW);
$changed = Filter::filterInput(INPUT_POST, 'changed', FILTER_SANITIZE_SPECIAL_CHARS);
$date = Filter::filterInput(INPUT_POST, 'date', FILTER_SANITIZE_SPECIAL_CHARS);
$notes = Filter::filterInput(INPUT_POST, 'notes', FILTER_SANITIZE_SPECIAL_CHARS);

// Permissions
$permissions = [];
if ('all' === Filter::filterInput(INPUT_POST, 'userpermission', FILTER_UNSAFE_RAW)) {
if ('all' === Filter::filterInput(INPUT_POST, 'userpermission', FILTER_SANITIZE_SPECIAL_CHARS)) {
$permissions += [
'restricted_user' => [
-1,
Expand All @@ -87,7 +87,7 @@
];
}

if ('all' === Filter::filterInput(INPUT_POST, 'grouppermission', FILTER_UNSAFE_RAW)) {
if ('all' === Filter::filterInput(INPUT_POST, 'grouppermission', FILTER_SANITIZE_SPECIAL_CHARS)) {
$permissions += [
'restricted_groups' => [
-1,
Expand Down Expand Up @@ -203,7 +203,7 @@
// notify the user who added the question
try {
$notifyEmail = Filter::filterInput(INPUT_POST, 'notifyEmail', FILTER_SANITIZE_EMAIL);
$notifyUser = Filter::filterInput(INPUT_POST, 'notifyUser', FILTER_UNSAFE_RAW);
$notifyUser = Filter::filterInput(INPUT_POST, 'notifyUser', FILTER_SANITIZE_SPECIAL_CHARS);
$notification->sendOpenQuestionAnswered($notifyEmail, $notifyUser, $oLink->toString());
} catch (Exception $e) {
printf('<p class="alert alert-warning">%s</p>', $e->getMessage());
Expand Down
26 changes: 13 additions & 13 deletions phpmyfaq/admin/record.edit.php
Expand Up @@ -110,7 +110,7 @@
$queryString = 'insertentry';
}

$faqData['lang'] = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
$faqData['lang'] = Filter::filterInput(INPUT_POST, 'lang', FILTER_SANITIZE_SPECIAL_CHARS);
$selectedCategory = Filter::filterInputArray(
INPUT_POST,
[
Expand All @@ -125,25 +125,25 @@
$categories[] = ['category_id' => $cats, 'category_lang' => $faqData['lang']];
}
}
$faqData['active'] = Filter::filterInput(INPUT_POST, 'active', FILTER_UNSAFE_RAW);
$faqData['keywords'] = Filter::filterInput(INPUT_POST, 'keywords', FILTER_UNSAFE_RAW);
$faqData['title'] = Filter::filterInput(INPUT_POST, 'thema', FILTER_UNSAFE_RAW);
$faqData['active'] = Filter::filterInput(INPUT_POST, 'active', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['keywords'] = Filter::filterInput(INPUT_POST, 'keywords', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['title'] = Filter::filterInput(INPUT_POST, 'thema', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['content'] = Filter::filterInput(INPUT_POST, 'content', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['author'] = Filter::filterInput(INPUT_POST, 'author', FILTER_UNSAFE_RAW);
$faqData['author'] = Filter::filterInput(INPUT_POST, 'author', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['email'] = Filter::filterInput(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$faqData['comment'] = Filter::filterInput(INPUT_POST, 'comment', FILTER_UNSAFE_RAW);
$faqData['comment'] = Filter::filterInput(INPUT_POST, 'comment', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['solution_id'] = Filter::filterInput(INPUT_POST, 'solution_id', FILTER_VALIDATE_INT);
$faqData['revision_id'] = Filter::filterInput(INPUT_POST, 'revision_id', FILTER_VALIDATE_INT, 0);
$faqData['sticky'] = Filter::filterInput(INPUT_POST, 'sticky', FILTER_VALIDATE_INT);
$faqData['tags'] = Filter::filterInput(INPUT_POST, 'tags', FILTER_UNSAFE_RAW);
$faqData['changed'] = Filter::filterInput(INPUT_POST, 'changed', FILTER_UNSAFE_RAW);
$faqData['dateStart'] = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_UNSAFE_RAW);
$faqData['dateEnd'] = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_UNSAFE_RAW);
$faqData['tags'] = Filter::filterInput(INPUT_POST, 'tags', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['changed'] = Filter::filterInput(INPUT_POST, 'changed', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['dateStart'] = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['dateEnd'] = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_SANITIZE_SPECIAL_CHARS);
$faqData['content'] = html_entity_decode($faqData['content']);
} elseif ('editentry' === $action) {
$id = Filter::filterInput(INPUT_GET, 'id', FILTER_VALIDATE_INT);
$lang = Filter::filterInput(INPUT_GET, 'lang', FILTER_UNSAFE_RAW);
$translateTo = Filter::filterInput(INPUT_GET, 'translateTo', FILTER_UNSAFE_RAW);
$lang = Filter::filterInput(INPUT_GET, 'lang', FILTER_SANITIZE_SPECIAL_CHARS);
$translateTo = Filter::filterInput(INPUT_GET, 'translateTo', FILTER_SANITIZE_SPECIAL_CHARS);
$categoryId = Filter::filterInput(INPUT_GET, 'cat', FILTER_VALIDATE_INT);

if (!is_null($translateTo)) {
Expand All @@ -168,7 +168,7 @@
}
} elseif ('copyentry' === $action) {
$faqData['id'] = Filter::filterInput(INPUT_GET, 'id', FILTER_VALIDATE_INT);
$faqData['lang'] = Filter::filterInput(INPUT_GET, 'lang', FILTER_UNSAFE_RAW);
$faqData['lang'] = Filter::filterInput(INPUT_GET, 'lang', FILTER_SANITIZE_SPECIAL_CHARS);
$categories = $categoryRelation->getCategories($faqData['id'], $faqData['lang']);

$faq->getRecord($faqData['id'], null, true);
Expand Down
34 changes: 17 additions & 17 deletions phpmyfaq/admin/record.save.php
Expand Up @@ -50,9 +50,9 @@
);

// FAQ data
$dateStart = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_UNSAFE_RAW);
$dateEnd = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_UNSAFE_RAW);
$question = Filter::filterInput(INPUT_POST, 'question', FILTER_UNSAFE_RAW);
$dateStart = Filter::filterInput(INPUT_POST, 'dateStart', FILTER_SANITIZE_SPECIAL_CHARS);
$dateEnd = Filter::filterInput(INPUT_POST, 'dateEnd', FILTER_SANITIZE_SPECIAL_CHARS);
$question = Filter::filterInput(INPUT_POST, 'question', FILTER_SANITIZE_SPECIAL_CHARS);
$categories = Filter::filterInputArray(
INPUT_POST,
[
Expand All @@ -62,31 +62,31 @@
],
]
);
$recordLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
$tags = Filter::filterInput(INPUT_POST, 'tags', FILTER_UNSAFE_RAW);
$recordLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_SANITIZE_SPECIAL_CHARS);
$tags = Filter::filterInput(INPUT_POST, 'tags', FILTER_SANITIZE_SPECIAL_CHARS);
$active = 'yes' == Filter::filterInput(
INPUT_POST,
'active',
FILTER_UNSAFE_RAW
FILTER_SANITIZE_SPECIAL_CHARS
) && $user->perm->hasPermission($user->getUserId(), 'approverec') ? 'yes' : 'no';
$sticky = Filter::filterInput(INPUT_POST, 'sticky', FILTER_UNSAFE_RAW);
$sticky = Filter::filterInput(INPUT_POST, 'sticky', FILTER_SANITIZE_SPECIAL_CHARS);
$content = Filter::filterInput(INPUT_POST, 'answer', FILTER_SANITIZE_SPECIAL_CHARS);
$keywords = Filter::filterInput(INPUT_POST, 'keywords', FILTER_UNSAFE_RAW);
$author = Filter::filterInput(INPUT_POST, 'author', FILTER_UNSAFE_RAW);
$keywords = Filter::filterInput(INPUT_POST, 'keywords', FILTER_SANITIZE_SPECIAL_CHARS);
$author = Filter::filterInput(INPUT_POST, 'author', FILTER_SANITIZE_SPECIAL_CHARS);
$email = Filter::filterInput(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$comment = Filter::filterInput(INPUT_POST, 'comment', FILTER_UNSAFE_RAW);
$comment = Filter::filterInput(INPUT_POST, 'comment', FILTER_SANITIZE_SPECIAL_CHARS);
$recordId = Filter::filterInput(INPUT_POST, 'record_id', FILTER_VALIDATE_INT);
$solutionId = Filter::filterInput(INPUT_POST, 'solution_id', FILTER_VALIDATE_INT);
$revision = Filter::filterInput(INPUT_POST, 'revision', FILTER_UNSAFE_RAW);
$revision = Filter::filterInput(INPUT_POST, 'revision', FILTER_SANITIZE_SPECIAL_CHARS);
$revisionId = Filter::filterInput(INPUT_POST, 'revision_id', FILTER_VALIDATE_INT);
$changed = Filter::filterInput(INPUT_POST, 'changed', FILTER_UNSAFE_RAW);
$date = Filter::filterInput(INPUT_POST, 'date', FILTER_UNSAFE_RAW);
$notes = Filter::filterInput(INPUT_POST, 'notes', FILTER_UNSAFE_RAW);
$changed = Filter::filterInput(INPUT_POST, 'changed', FILTER_SANITIZE_SPECIAL_CHARS);
$date = Filter::filterInput(INPUT_POST, 'date', FILTER_SANITIZE_SPECIAL_CHARS);
$notes = Filter::filterInput(INPUT_POST, 'notes', FILTER_SANITIZE_SPECIAL_CHARS);

// Permissions
$faqPermission = new FaqPermission($faqConfig);
$permissions = [];
if ('all' === Filter::filterInput(INPUT_POST, 'userpermission', FILTER_UNSAFE_RAW)) {
if ('all' === Filter::filterInput(INPUT_POST, 'userpermission', FILTER_SANITIZE_SPECIAL_CHARS)) {
$permissions += [
'restricted_user' => [
-1,
Expand All @@ -100,7 +100,7 @@
];
}

if ('all' === Filter::filterInput(INPUT_POST, 'grouppermission', FILTER_UNSAFE_RAW)) {
if ('all' === Filter::filterInput(INPUT_POST, 'grouppermission', FILTER_SANITIZE_SPECIAL_CHARS)) {
$permissions += [
'restricted_groups' => [
-1,
Expand Down Expand Up @@ -231,7 +231,7 @@
}

// All the other translations
$languages = Filter::filterInput(INPUT_POST, 'used_translated_languages', FILTER_UNSAFE_RAW);
$languages = Filter::filterInput(INPUT_POST, 'used_translated_languages', FILTER_SANITIZE_SPECIAL_CHARS);
?>
<script>
(() => {
Expand Down

0 comments on commit ecbd810

Please sign in to comment.