Sekretaerbaer-Netz/friendica-sekretaerbaer-netz
1
0
Fork 0
forked from Friendica/friendica
Code Pull requests Activity

Merge pull request #14942 from annando/clean-input

Browse source 
Clean input values
This commit is contained in:
Philipp 2025-05-25 10:10:59 +02:00 committed by GitHub
commit 415e7b5f8b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 20 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/Module/Admin/Site.php
View file

@ -41,13 +41,13 @@ class Site extends BaseAdmin
return; return;
} }
$sitename = (!empty($_POST['sitename']) ? trim($_POST['sitename']) : ''); $sitename = (!empty($_POST['sitename']) ? strip_tags(trim($_POST['sitename'])) : '');
$sender_email = (!empty($_POST['sender_email']) ? trim($_POST['sender_email']) : ''); $sender_email = (!empty($_POST['sender_email']) ? trim($_POST['sender_email']) : '');
$banner = (!empty($_POST['banner']) ? trim($_POST['banner']) : false); $banner = (!empty($_POST['banner']) ? trim($_POST['banner']) : false);
$email_banner = (!empty($_POST['email_banner']) ? trim($_POST['email_banner']) : false); $email_banner = (!empty($_POST['email_banner']) ? trim($_POST['email_banner']) : false);
$shortcut_icon = (!empty($_POST['shortcut_icon']) ? trim($_POST['shortcut_icon']) : ''); $shortcut_icon = (!empty($_POST['shortcut_icon']) ? trim($_POST['shortcut_icon']) : '');
$touch_icon = (!empty($_POST['touch_icon']) ? trim($_POST['touch_icon']) : ''); $touch_icon = (!empty($_POST['touch_icon']) ? trim($_POST['touch_icon']) : '');
$additional_info = (!empty($_POST['additional_info']) ? trim($_POST['additional_info']) : ''); $additional_info = (!empty($_POST['additional_info']) ? strip_tags(trim($_POST['additional_info'])) : '');
$language = (!empty($_POST['language']) ? trim($_POST['language']) : ''); $language = (!empty($_POST['language']) ? trim($_POST['language']) : '');
$theme = (!empty($_POST['theme']) ? trim($_POST['theme']) : ''); $theme = (!empty($_POST['theme']) ? trim($_POST['theme']) : '');
$theme_mobile = (!empty($_POST['theme_mobile']) ? trim($_POST['theme_mobile']) : ''); $theme_mobile = (!empty($_POST['theme_mobile']) ? trim($_POST['theme_mobile']) : '');

4
src/Module/Profile/Photos.php
View file

@ -128,8 +128,8 @@ class Photos extends \Friendica\Module\BaseProfile
$request = $hook_data['request'] ?? $request; $request = $hook_data['request'] ?? $request;
// Determine the album to use // Determine the album to use
$album = trim($request['album'] ?? ''); $album = strip_tags(trim($request['album'] ?? ''));
$newalbum = trim($request['newalbum'] ?? ''); $newalbum = strip_tags(trim($request['newalbum'] ?? ''));
$this->logger->debug('album= ' . $album . ' newalbum= ' . $newalbum); $this->logger->debug('album= ' . $album . ' newalbum= ' . $newalbum);

25
src/Module/Settings/Profile/Index.php
View file

@ -99,7 +99,7 @@ class Index extends BaseSettings
new ArrayFilterEvent(ArrayFilterEvent::PROFILE_SETTINGS_POST, $request), new ArrayFilterEvent(ArrayFilterEvent::PROFILE_SETTINGS_POST, $request),
)->getArray(); )->getArray();
$dob = trim($request['dob'] ?? ''); $dob = $this->cleanInput($request['dob'] ?? '');
if ($dob && !in_array($dob, ['0000-00-00', DBA::NULL_DATE])) { if ($dob && !in_array($dob, ['0000-00-00', DBA::NULL_DATE])) {
$y = substr($dob, 0, 4); $y = substr($dob, 0, 4);
@ -121,18 +121,18 @@ class Index extends BaseSettings
} }
} }
$username = trim($request['username'] ?? ''); $username = $this->cleanInputText($request['username'] ?? '');
if (!$username) { if (!$username) {
$this->systemMessages->addNotice($this->t('Display Name is required.')); $this->systemMessages->addNotice($this->t('Display Name is required.'));
return; return;
} }
$about = trim($request['about']); $about = $this->cleanInputText($request['about']);
$address = trim($request['address']); $address = $this->cleanInputText($request['address']);
$locality = trim($request['locality']); $locality = $this->cleanInputText($request['locality']);
$region = trim($request['region']); $region = $this->cleanInputText($request['region']);
$postal_code = trim($request['postal_code']); $postal_code = $this->cleanInputText($request['postal_code']);
$country_name = trim($request['country_name']); $country_name = $this->cleanInputText($request['country_name']);
$pub_keywords = self::cleanKeywords(trim($request['pub_keywords'])); $pub_keywords = self::cleanKeywords(trim($request['pub_keywords']));
$prv_keywords = self::cleanKeywords(trim($request['prv_keywords'])); $prv_keywords = self::cleanKeywords(trim($request['prv_keywords']));
$xmpp = $this->cleanInput(trim($request['xmpp'])); $xmpp = $this->cleanInput(trim($request['xmpp']));
@ -377,9 +377,14 @@ class Index extends BaseSettings
return $profileFields; return $profileFields;
} }
private function cleanInputText(string $input): string
{
return trim(strip_tags($input));
}
private function cleanInput(string $input): string private function cleanInput(string $input): string
{ {
return str_replace(['<', '>', '"', ' '], '', $input); return str_replace(['<', '>', '"', "'", ' '], '', $input);
} }
private static function cleanKeywords($keywords): string private static function cleanKeywords($keywords): string
@ -389,7 +394,7 @@ class Index extends BaseSettings
$cleaned = []; $cleaned = [];
foreach ($keywords as $keyword) { foreach ($keywords as $keyword) {
$keyword = trim($keyword); $keyword = trim(str_replace(['<', '>', '"', "'"], '', $keyword));
$keyword = trim($keyword, '#'); $keyword = trim($keyword, '#');
if ($keyword != '') { if ($keyword != '') {
$cleaned[] = $keyword; $cleaned[] = $keyword;