Secure vars to display

This commit is contained in:
Phyks 2013-08-26 21:21:52 +02:00
parent 109aae4cbe
commit af10ae7445
5 changed files with 69 additions and 16 deletions

9
TODO
View File

@ -1,9 +1,8 @@
* i18n * i18n
* Vérification des variables dans les classes + throw exception
* htmlspecialchars => on users objects
* handle negative amounts * handle negative amounts
* Refactor load method to avoir load_* methods ! * Refactor load method to avoir load_* methods !
* Test remember_me * Test remember_me
* TODO in files
inc/Invoices.class.php : inc/Invoices.class.php :
======================== ========================
@ -15,11 +14,13 @@ Manage paybacks :
================= =================
* TODO : Payback system * TODO : Payback system
TODO :
======
* Add / Edit a bill
Tests : Tests :
======= =======
* Remember me ? * Remember me ?
* Add a bill
* Edit a bill
Tests passed (quick tests) : Tests passed (quick tests) :
============================ ============================

View File

@ -1,5 +1,7 @@
<?php <?php
// TODO : Users in // TODO : Users in
// TODO : date format
require_once('data/config.php'); require_once('data/config.php');
require_once('Storage.class.php'); require_once('Storage.class.php');
@ -107,4 +109,17 @@
return false; return false;
} }
} }
// Maps htmlspecialchars on the class before display
// =================================================
public function secureDisplay() {
$this->id = (int) $this->id;
$this->what = htmlspecialchars($this->what);
$this->amount = (float) $this->amount;
$this->buyer = (int) $this->buyer;
$this->users_in = htmlspecialchars($this->users_in);
$this->date = htmlspecialchars($this->date);
return $this;
}
} }

View File

@ -144,4 +144,15 @@ class User extends Storage {
return false; return false;
} }
} }
// Maps htmlspecialchars on the class before display
// =================================================
public function secureDisplay() {
$this->id = (int) $this->id;
$this->login = htmlspecialchars($this->login);
$this->display_name = htmlspecialchars($this->display_name);
$this->admin = (int) $this->admin;
return $this;
}
} }

View File

@ -10,3 +10,30 @@
function setNotice($notice) { function setNotice($notice) {
return file_put_contents('data/notice', $notice); return file_put_contents('data/notice', $notice);
} }
function secureDisplay($unsecured) {
$return = NULL;
if(is_array($unsecured)) {
$return = array();
foreach($unsecured as $key=>$unsecured_item) {
$return[$key] = secureDisplay($unsecured_item);
}
}
elseif(is_object($unsecured)) {
$return = $unsecured->secureDisplay();
}
elseif(is_numeric($unsecured)) {
if(intval($unsecured) == floatval($unsecured))
$return = (int) $unsecured;
else
$return = (float) $unsecured;
}
elseif(is_bool($unsecured)) {
$return = (bool) $unsecured;
}
else {
$return = htmlspecialchars($unsecured);
}
return $return;
}

View File

@ -43,7 +43,7 @@
else { else {
$current_user = false; $current_user = false;
} }
$tpl->assign('current_user', $current_user); $tpl->assign('current_user', secureDisplay($current_user));
// If not connected, redirect to connection page // If not connected, redirect to connection page
if($current_user === false && (empty($_GET['do']) OR $_GET['do'] != 'connect')) { if($current_user === false && (empty($_GET['do']) OR $_GET['do'] != 'connect')) {
@ -177,7 +177,7 @@
$user_id = (int) $_GET['user_id']; $user_id = (int) $_GET['user_id'];
$user = new User(); $user = new User();
$user->load_user(array('id'=>$user_id)); $user->load_user(array('id'=>$user_id));
$tpl->assign('user_data', $user); $tpl->assign('user_data', $user->secureDisplay());
} }
$tpl->assign('user_id', (!empty($user_id) ? (int) $user_id : -1)); $tpl->assign('user_id', (!empty($user_id) ? (int) $user_id : -1));
$tpl->assign('view', 'edit_user'); $tpl->assign('view', 'edit_user');
@ -186,7 +186,7 @@
$users_list = new User(); $users_list = new User();
$users_list = $users_list->load_users(); $users_list = $users_list->load_users();
$tpl->assign('users', $users_list); $tpl->assign('users', secureDisplay($users_list));
$tpl->assign('view', 'list_users'); $tpl->assign('view', 'list_users');
} }
$tpl->assign('login_post', (!empty($_POST['login']) ? htmlspecialchars($_POST['login']) : '')); $tpl->assign('login_post', (!empty($_POST['login']) ? htmlspecialchars($_POST['login']) : ''));
@ -215,7 +215,6 @@
exit(); exit();
} }
$tpl->assign('notice', getNotice());
$tpl->assign('show_settings', false); $tpl->assign('show_settings', false);
$tpl->draw('settings'); $tpl->draw('settings');
break; break;
@ -264,10 +263,10 @@
} }
} }
$tpl->assign('mysql_host', MYSQL_HOST); $tpl->assign('mysql_host', htmlspecialchars(MYSQL_HOST));
$tpl->assign('mysql_login', MYSQL_LOGIN); $tpl->assign('mysql_login', htmlspecialchars(MYSQL_LOGIN));
$tpl->assign('mysql_db', MYSQL_DB); $tpl->assign('mysql_db', htmlspecialchars(MYSQL_DB));
$tpl->assign('mysql_prefix', MYSQL_PREFIX); $tpl->assign('mysql_prefix', htmlspecialchars(MYSQL_PREFIX));
$tpl->assign('timezone', @date_default_timezone_get()); $tpl->assign('timezone', @date_default_timezone_get());
$tpl->assign('show_settings', true); $tpl->assign('show_settings', true);
$tpl->assign('token', generate_token('settings')); $tpl->assign('token', generate_token('settings'));
@ -329,7 +328,7 @@
$users_list = new User(); $users_list = new User();
$users_list = $users_list->load_users(); $users_list = $users_list->load_users();
$tpl->assign('days', range(1,31)); // TODO : Improve it $tpl->assign('days', range(1,31));
$tpl->assign('months', range(1, 12)); $tpl->assign('months', range(1, 12));
$tpl->assign('years', range(date('Y') - 1, date('Y') + 1)); $tpl->assign('years', range(date('Y') - 1, date('Y') + 1));
@ -338,7 +337,7 @@
$tpl->assign('year_post', (!empty($date_year) ? (int) $date_year : (int) date('Y'))); $tpl->assign('year_post', (!empty($date_year) ? (int) $date_year : (int) date('Y')));
$tpl->assign('amount_post', (!empty($amount) ? (float) $amount : 0)); $tpl->assign('amount_post', (!empty($amount) ? (float) $amount : 0));
$tpl->assign('what_post', (!empty($what) ? htmlspecialchars($what) : '')); $tpl->assign('what_post', (!empty($what) ? htmlspecialchars($what) : ''));
$tpl->assign('users', $users_list); $tpl->assign('users', secureDisplay($users_list));
$tpl->assign('users_in', (!empty($users_in) ? $users_in : array())); $tpl->assign('users_in', (!empty($users_in) ? $users_in : array()));
$tpl->assign('guests', (!empty($guests) ? $guests : array())); $tpl->assign('guests', (!empty($guests) ? $guests : array()));
$tpl->assign('id', (!empty($_GET['id']) ? (int) $_GET['id'] : 0)); $tpl->assign('id', (!empty($_GET['id']) ? (int) $_GET['id'] : 0));
@ -364,8 +363,8 @@
$invoices_list = new Invoice(); $invoices_list = new Invoice();
$invoices_list = $invoices_list->load_invoices(); $invoices_list = $invoices_list->load_invoices();
$tpl->assign('users', $users_list); $tpl->assign('users', secureDisplay($users_list));
$tpl->assign('invoices', $invoices_list); $tpl->assign('invoices', secureDisplay($invoices_list));
$tpl->draw('index'); $tpl->draw('index');
break; break;