diff options
| author | polo <ordipolo@gmx.fr> | 2025-06-24 02:02:44 +0200 |
|---|---|---|
| committer | polo <ordipolo@gmx.fr> | 2025-06-24 02:02:44 +0200 |
| commit | 41adf94ebf868232aa43fe9b8b80029896da9da7 (patch) | |
| tree | 3c3842bd1d1830b68576d912cd506859f1dd5bef /src/controller | |
| parent | ff2a45feb0080b89db8c6193306a4676705ea607 (diff) | |
| download | cms-41adf94ebf868232aa43fe9b8b80029896da9da7.tar.gz cms-41adf94ebf868232aa43fe9b8b80029896da9da7.tar.bz2 cms-41adf94ebf868232aa43fe9b8b80029896da9da7.zip | |
saisie sécurisée
Diffstat (limited to 'src/controller')
| -rw-r--r-- | src/controller/Security.php | 2 | ||||
| -rw-r--r-- | src/controller/ajax_calendar.php | 23 |
2 files changed, 19 insertions, 6 deletions
diff --git a/src/controller/Security.php b/src/controller/Security.php index cd31cb8..b882d42 100644 --- a/src/controller/Security.php +++ b/src/controller/Security.php | |||
| @@ -22,7 +22,7 @@ class Security | |||
| 22 | // ATTENTION, n'applique pas htmlspecialchars() !! | 22 | // ATTENTION, n'applique pas htmlspecialchars() !! |
| 23 | public static function secureString(string $chaine): string | 23 | public static function secureString(string $chaine): string |
| 24 | { | 24 | { |
| 25 | return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));; | 25 | return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed)); |
| 26 | } | 26 | } |
| 27 | 27 | ||
| 28 | public static function secureFileName(string $chaine): string | 28 | public static function secureFileName(string $chaine): string |
diff --git a/src/controller/ajax_calendar.php b/src/controller/ajax_calendar.php index 834c88b..79268f6 100644 --- a/src/controller/ajax_calendar.php +++ b/src/controller/ajax_calendar.php | |||
| @@ -46,22 +46,35 @@ elseif(isset($_SESSION['admin']) && $_SESSION['admin'] === true | |||
| 46 | $json = json_decode($data, true); | 46 | $json = json_decode($data, true); |
| 47 | 47 | ||
| 48 | if($_GET['action'] === 'new_event'){ | 48 | if($_GET['action'] === 'new_event'){ |
| 49 | $event = new Event($json['title'], $json['start'], $json['end'], $json['allDay'], $json["description"], $json['color']); | 49 | try{ |
| 50 | 50 | $event = new Event($json); | |
| 51 | } | ||
| 52 | catch(InvalidArgumentException $e){ | ||
| 53 | echo json_encode(['success' => false, 'error' => $e->getMessage()]); | ||
| 54 | http_response_code(400); | ||
| 55 | die; | ||
| 56 | } | ||
| 51 | $entityManager->persist($event); | 57 | $entityManager->persist($event); |
| 52 | $entityManager->flush(); | 58 | $entityManager->flush(); |
| 53 | 59 | ||
| 54 | echo json_encode(['success' => true, 'id' => $event->getId()]); | 60 | echo json_encode(['success' => true, 'id' => $event->getId()]); |
| 55 | } | 61 | } |
| 56 | elseif($_GET['action'] === 'update_event'){ | 62 | elseif($_GET['action'] === 'update_event'){ |
| 57 | $event = $entityManager->find('App\Entity\Event', $json['id']); | 63 | $event = $entityManager->find('App\Entity\Event', (int)$json['id']); |
| 58 | $event->updateFromJSON($json); | 64 | try{ |
| 65 | $event->securedUpdateFromJSON($json); | ||
| 66 | } | ||
| 67 | catch(InvalidArgumentException $e){ | ||
| 68 | echo json_encode(['success' => false, 'error' => $e->getMessage()]); | ||
| 69 | http_response_code(400); | ||
| 70 | die; | ||
| 71 | } | ||
| 59 | $entityManager->flush(); | 72 | $entityManager->flush(); |
| 60 | 73 | ||
| 61 | echo json_encode(['success' => true]); | 74 | echo json_encode(['success' => true]); |
| 62 | } | 75 | } |
| 63 | elseif($_GET['action'] === 'remove_event'){ | 76 | elseif($_GET['action'] === 'remove_event'){ |
| 64 | $event = $entityManager->find('App\Entity\Event', $json['id']); | 77 | $event = $entityManager->find('App\Entity\Event', (int)$json['id']); |
| 65 | $entityManager->remove($event); | 78 | $entityManager->remove($event); |
| 66 | $entityManager->flush(); | 79 | $entityManager->flush(); |
| 67 | 80 | ||