iger
/
engelsystem
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Don't strip characters from direct messages

This commit is contained in:
Igor Scheller 2018-12-28 22:32:36 +01:00 committed by msquare
parent 540efef63e
commit 012d5a4722
3 changed files with 16 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
includes/model/Message_model.php
View File

@ -1,6 +1,7 @@
<?php <?php
use Engelsystem\Database\DB; use Engelsystem\Database\DB;
use Engelsystem\Models\User\User;
/** /**
* Returns Message id array * Returns Message id array
@ -26,7 +27,6 @@ function Message($message_id)
} }
/** /**
* TODO: use validation functions, return new message id
* send message * send message
* *
* @param int $receiver_user_id User ID of Receiver * @param int $receiver_user_id User ID of Receiver
@ -36,20 +36,12 @@ function Message($message_id)
function Message_send($receiver_user_id, $text) function Message_send($receiver_user_id, $text)
{ {
$user = auth()->user(); $user = auth()->user();
$receiver = User::find($receiver_user_id);
$text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text)); if (empty($text) || !$receiver || $receiver->id == $user->id) {
$receiver_user_id = preg_replace('/([^\d]{1,})/ui', '', strip_tags($receiver_user_id)); return false;
}
if (
($text != '' && is_numeric($receiver_user_id))
&& count(DB::select('
SELECT `id`
FROM `users`
WHERE `id` = ?
AND NOT `id` = ?
LIMIT 1
', [$receiver_user_id, $user->id])) > 0
) {
return DB::insert(' return DB::insert('
INSERT INTO `Messages` (`Datum`, `SUID`, `RUID`, `Text`) INSERT INTO `Messages` (`Datum`, `SUID`, `RUID`, `Text`)
VALUES(?, ?, ?, ?) VALUES(?, ?, ?, ?)
@ -57,11 +49,8 @@ function Message_send($receiver_user_id, $text)
[ [
time(), time(),
$user->id, $user->id,
$receiver_user_id, $receiver->id,
$text $text
] ]
); );
}
return false;
} }

3
includes/pages/user_messages.php
View File

@ -88,7 +88,7 @@ function user_messages()
'timestamp' => date('Y-m-d H:i', $message['Datum']), 'timestamp' => date('Y-m-d H:i', $message['Datum']),
'from' => User_Nick_render($sender_user_source), 'from' => User_Nick_render($sender_user_source),
'to' => User_Nick_render($receiver_user_source), 'to' => User_Nick_render($receiver_user_source),
'text' => str_replace("\n", '<br />', $message['Text']) 'text' => nl2br(htmlspecialchars($message['Text']))
]; ];
if ($message['RUID'] == $user->id) { if ($message['RUID'] == $user->id) {
@ -167,7 +167,6 @@ function user_messages()
break; break;
case 'send': case 'send':
// @TODO: Validation?
if (Message_send($request->input('to'), $request->input('text'))) { if (Message_send($request->input('to'), $request->input('text'))) {
redirect(page_link_to('user_messages')); redirect(page_link_to('user_messages'));
} else { } else {

2
includes/sys_page.php
View File

@ -197,6 +197,7 @@ function strip_request_item_nl($name, $default_value = null)
{ {
$request = request(); $request = request();
if ($request->has($name)) { if ($request->has($name)) {
// Only allow letters, symbols, punctuation, separators, numbers and newlines without html tags
return preg_replace( return preg_replace(
"/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+\n]{1,})/ui", "/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+\n]{1,})/ui",
'', '',
@ -214,6 +215,7 @@ function strip_request_item_nl($name, $default_value = null)
*/ */
function strip_item($item) function strip_item($item)
{ {
// Only allow letters, symbols, punctuation, separators and numbers without html tags
return preg_replace("/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+]{1,})/ui", '', strip_tags($item)); return preg_replace("/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+]{1,})/ui", '', strip_tags($item));
} }