Don't strip characters from direct messages

2018-12-28 22:32:36 +01:00 · 2018-12-28 22:32:36 +01:00 · 012d5a4722
parent 540efef63e
commit 012d5a4722
3 changed files with 16 additions and 26 deletions
--- a/includes/model/Message_model.php
+++ b/includes/model/Message_model.php
@ -1,6 +1,7 @@
 <?php

 use Engelsystem\Database\DB;
+use Engelsystem\Models\User\User;

 /**
 * Returns Message id array
@ -26,7 +27,6 @@ function Message($message_id)
 }

 /**
- * TODO: use validation functions, return new message id
 * send message
 *
 * @param int    $receiver_user_id User ID of Receiver
@ -36,32 +36,21 @@ function Message($message_id)
 function Message_send($receiver_user_id, $text)
 {
    $user = auth()->user();
+    $receiver = User::find($receiver_user_id);

-    $text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text));
-    $receiver_user_id = preg_replace('/([^\d]{1,})/ui', '', strip_tags($receiver_user_id));
+    if (empty($text) || !$receiver || $receiver->id == $user->id) {
+        return false;
+    }

-    if (
-        ($text != '' && is_numeric($receiver_user_id))
-        && count(DB::select('
-            SELECT `id`
-            FROM `users`
-            WHERE `id` = ?
-            AND NOT `id` = ?
-            LIMIT 1
-        ', [$receiver_user_id, $user->id])) > 0
-    ) {
-        return DB::insert('
+    return DB::insert('
            INSERT INTO `Messages` (`Datum`, `SUID`, `RUID`, `Text`)
            VALUES(?, ?, ?, ?)
            ',
-            [
-                time(),
-                $user->id,
-                $receiver_user_id,
-                $text
-            ]
-        );
-    }
-
-    return false;
+        [
+            time(),
+            $user->id,
+            $receiver->id,
+            $text
+        ]
+    );
 }
--- a/includes/pages/user_messages.php
+++ b/includes/pages/user_messages.php
@ -88,7 +88,7 @@ function user_messages()
                'timestamp' => date('Y-m-d H:i', $message['Datum']),
                'from'      => User_Nick_render($sender_user_source),
                'to'        => User_Nick_render($receiver_user_source),
-                'text'      => str_replace("\n", '<br />', $message['Text'])
+                'text'      => nl2br(htmlspecialchars($message['Text']))
            ];

            if ($message['RUID'] == $user->id) {
@ -167,7 +167,6 @@ function user_messages()
                break;

            case 'send':
-                // @TODO: Validation?
                if (Message_send($request->input('to'), $request->input('text'))) {
                    redirect(page_link_to('user_messages'));
                } else {
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@ -197,6 +197,7 @@ function strip_request_item_nl($name, $default_value = null)
 {
    $request = request();
    if ($request->has($name)) {
+        // Only allow letters, symbols, punctuation, separators, numbers and newlines without html tags
        return preg_replace(
            "/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+\n]{1,})/ui",
            '',
@ -214,6 +215,7 @@ function strip_request_item_nl($name, $default_value = null)
 */
 function strip_item($item)
 {
+    // Only allow letters, symbols, punctuation, separators and numbers without html tags
    return preg_replace("/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+]{1,})/ui", '', strip_tags($item));
 }