diff options
| author | polo <ordipolo@gmx.fr> | 2025-06-24 02:02:44 +0200 |
|---|---|---|
| committer | polo <ordipolo@gmx.fr> | 2025-06-24 02:02:44 +0200 |
| commit | 41adf94ebf868232aa43fe9b8b80029896da9da7 (patch) | |
| tree | 3c3842bd1d1830b68576d912cd506859f1dd5bef | |
| parent | ff2a45feb0080b89db8c6193306a4676705ea607 (diff) | |
| download | cms-41adf94ebf868232aa43fe9b8b80029896da9da7.tar.gz cms-41adf94ebf868232aa43fe9b8b80029896da9da7.tar.bz2 cms-41adf94ebf868232aa43fe9b8b80029896da9da7.zip | |
saisie sécurisée
| -rw-r--r-- | public/css/calendar.css | 4 | ||||
| -rw-r--r-- | public/js/calendar_admin.js | 1 | ||||
| -rw-r--r-- | src/controller/Security.php | 2 | ||||
| -rw-r--r-- | src/controller/ajax_calendar.php | 23 | ||||
| -rw-r--r-- | src/model/entities/Event.php | 32 |
5 files changed, 39 insertions, 23 deletions
diff --git a/public/css/calendar.css b/public/css/calendar.css index fb2b2fa..ba9a462 100644 --- a/public/css/calendar.css +++ b/public/css/calendar.css | |||
| @@ -8,10 +8,10 @@ | |||
| 8 | display: flex; | 8 | display: flex; |
| 9 | gap: 5px; | 9 | gap: 5px; |
| 10 | padding: 15px; | 10 | padding: 15px; |
| 11 | /*max-width: 1000px;*/ | 11 | max-width: 1170px; |
| 12 | } | 12 | } |
| 13 | #calendar{ | 13 | #calendar{ |
| 14 | width: 1170px; | 14 | width: 1165px; /* on enlève le "gap" */ |
| 15 | } | 15 | } |
| 16 | .event_title_box{ | 16 | .event_title_box{ |
| 17 | display: flex; | 17 | display: flex; |
diff --git a/public/js/calendar_admin.js b/public/js/calendar_admin.js index 8d764d8..76a1ce9 100644 --- a/public/js/calendar_admin.js +++ b/public/js/calendar_admin.js | |||
| @@ -206,7 +206,6 @@ document.addEventListener('DOMContentLoaded', function(){ | |||
| 206 | event_start = new Date(event_start).toISOString(); | 206 | event_start = new Date(event_start).toISOString(); |
| 207 | event_end = new Date(event_end).toISOString(); | 207 | event_end = new Date(event_end).toISOString(); |
| 208 | } | 208 | } |
| 209 | console.log(event_end); | ||
| 210 | 209 | ||
| 211 | if(event_start > event_end || (!event_all_day && event_start == event_end)){ | 210 | if(event_start > event_end || (!event_all_day && event_start == event_end)){ |
| 212 | return; | 211 | return; |
diff --git a/src/controller/Security.php b/src/controller/Security.php index cd31cb8..b882d42 100644 --- a/src/controller/Security.php +++ b/src/controller/Security.php | |||
| @@ -22,7 +22,7 @@ class Security | |||
| 22 | // ATTENTION, n'applique pas htmlspecialchars() !! | 22 | // ATTENTION, n'applique pas htmlspecialchars() !! |
| 23 | public static function secureString(string $chaine): string | 23 | public static function secureString(string $chaine): string |
| 24 | { | 24 | { |
| 25 | return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));; | 25 | return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed)); |
| 26 | } | 26 | } |
| 27 | 27 | ||
| 28 | public static function secureFileName(string $chaine): string | 28 | public static function secureFileName(string $chaine): string |
diff --git a/src/controller/ajax_calendar.php b/src/controller/ajax_calendar.php index 834c88b..79268f6 100644 --- a/src/controller/ajax_calendar.php +++ b/src/controller/ajax_calendar.php | |||
| @@ -46,22 +46,35 @@ elseif(isset($_SESSION['admin']) && $_SESSION['admin'] === true | |||
| 46 | $json = json_decode($data, true); | 46 | $json = json_decode($data, true); |
| 47 | 47 | ||
| 48 | if($_GET['action'] === 'new_event'){ | 48 | if($_GET['action'] === 'new_event'){ |
| 49 | $event = new Event($json['title'], $json['start'], $json['end'], $json['allDay'], $json["description"], $json['color']); | 49 | try{ |
| 50 | 50 | $event = new Event($json); | |
| 51 | } | ||
| 52 | catch(InvalidArgumentException $e){ | ||
| 53 | echo json_encode(['success' => false, 'error' => $e->getMessage()]); | ||
| 54 | http_response_code(400); | ||
| 55 | die; | ||
| 56 | } | ||
| 51 | $entityManager->persist($event); | 57 | $entityManager->persist($event); |
| 52 | $entityManager->flush(); | 58 | $entityManager->flush(); |
| 53 | 59 | ||
| 54 | echo json_encode(['success' => true, 'id' => $event->getId()]); | 60 | echo json_encode(['success' => true, 'id' => $event->getId()]); |
| 55 | } | 61 | } |
| 56 | elseif($_GET['action'] === 'update_event'){ | 62 | elseif($_GET['action'] === 'update_event'){ |
| 57 | $event = $entityManager->find('App\Entity\Event', $json['id']); | 63 | $event = $entityManager->find('App\Entity\Event', (int)$json['id']); |
| 58 | $event->updateFromJSON($json); | 64 | try{ |
| 65 | $event->securedUpdateFromJSON($json); | ||
| 66 | } | ||
| 67 | catch(InvalidArgumentException $e){ | ||
| 68 | echo json_encode(['success' => false, 'error' => $e->getMessage()]); | ||
| 69 | http_response_code(400); | ||
| 70 | die; | ||
| 71 | } | ||
| 59 | $entityManager->flush(); | 72 | $entityManager->flush(); |
| 60 | 73 | ||
| 61 | echo json_encode(['success' => true]); | 74 | echo json_encode(['success' => true]); |
| 62 | } | 75 | } |
| 63 | elseif($_GET['action'] === 'remove_event'){ | 76 | elseif($_GET['action'] === 'remove_event'){ |
| 64 | $event = $entityManager->find('App\Entity\Event', $json['id']); | 77 | $event = $entityManager->find('App\Entity\Event', (int)$json['id']); |
| 65 | $entityManager->remove($event); | 78 | $entityManager->remove($event); |
| 66 | $entityManager->flush(); | 79 | $entityManager->flush(); |
| 67 | 80 | ||
diff --git a/src/model/entities/Event.php b/src/model/entities/Event.php index c85832f..ae0d396 100644 --- a/src/model/entities/Event.php +++ b/src/model/entities/Event.php | |||
| @@ -39,23 +39,27 @@ class Event | |||
| 39 | #[ORM\Column(type: 'string', length: 7, nullable: true)] | 39 | #[ORM\Column(type: 'string', length: 7, nullable: true)] |
| 40 | private ?string $color = null; | 40 | private ?string $color = null; |
| 41 | 41 | ||
| 42 | public function __construct(string $title, string|\DateTimeInterface $start, string|\DateTimeInterface $end, bool $all_day, string $description = '', string $color = null){ | 42 | public function __construct(array $json){ |
| 43 | $this->title = $title; | 43 | $this->securedUpdateFromJSON($json); |
| 44 | $this->description = $description; | ||
| 45 | $this->start = gettype($start) === 'string' ? new \DateTime($start) : $start; | ||
| 46 | $this->end = gettype($end) === 'string' ? new \DateTime($end) : $end; | ||
| 47 | $this->all_day = $all_day; | ||
| 48 | $this->color = $color; | ||
| 49 | } | 44 | } |
| 50 | 45 | ||
| 51 | public function updateFromJSON(array $json): void | 46 | public function securedUpdateFromJSON(array $json): void |
| 52 | { | 47 | { |
| 53 | $this->title = $json['title']; | 48 | $this->title = htmlspecialchars($json['title']); |
| 54 | $this->description = $json['description']; | 49 | $this->description = htmlspecialchars($json['description']); |
| 55 | $this->start = new \DateTime($json['start']); | 50 | try{ |
| 56 | $this->end = new \DateTime($json['end']); | 51 | $this->start = new \Datetime($json['start']); |
| 57 | $this->all_day = $json['allDay']; | 52 | $this->end = new \Datetime($json['end']); |
| 58 | $this->color = $json['color']; | 53 | } |
| 54 | catch(\Exception $e){ | ||
| 55 | throw new \InvalidArgumentException('Bad date input'); | ||
| 56 | } | ||
| 57 | $all_day = filter_var($json['allDay'] ?? null, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); | ||
| 58 | if(!is_bool($all_day)){ | ||
| 59 | throw new \InvalidArgumentException('Bad checkbox input'); | ||
| 60 | } | ||
| 61 | $this->all_day = $all_day; | ||
| 62 | $this->color = isset($json['color']) ? htmlspecialchars($json['color']) : null; | ||
| 59 | } | 63 | } |
| 60 | 64 | ||
| 61 | public function getId(): int | 65 | public function getId(): int |