saisie sécurisée

author: polo <ordipolo@gmx.fr> 2025-06-24 02:02:44 +0200
committer: polo <ordipolo@gmx.fr> 2025-06-24 02:02:44 +0200
commit: 41adf94ebf868232aa43fe9b8b80029896da9da7 (patch)
tree: 3c3842bd1d1830b68576d912cd506859f1dd5bef /src
parent: ff2a45feb0080b89db8c6193306a4676705ea607 (diff)
download: cms-41adf94ebf868232aa43fe9b8b80029896da9da7.zip
3 files changed, 37 insertions, 20 deletions
diff --git a/src/controller/Security.php b/src/controller/Security.php
index cd31cb8..b882d42 100644
--- a/src/controller/Security.php
+++ b/src/controller/Security.php
@@ -22,7 +22,7 @@ class Security
        // ATTENTION, n'applique pas htmlspecialchars() !!
        public static function secureString(string $chaine): string
        {
-            return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));;
+            return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));
        }
        public static function secureFileName(string $chaine): string
diff --git a/src/controller/ajax_calendar.php b/src/controller/ajax_calendar.php
index 834c88b..79268f6 100644
--- a/src/controller/ajax_calendar.php
+++ b/src/controller/ajax_calendar.php
@@ -46,22 +46,35 @@ elseif(isset($_SESSION['admin']) && $_SESSION['admin'] === true
        $json = json_decode($data, true);
        
        if($_GET['action'] === 'new_event'){
-        $event = new Event($json['title'], $json['start'], $json['end'], $json['allDay'], $json["description"], $json['color']);
+        try{
-        
+            $event = new Event($json);
+        }
+        catch(InvalidArgumentException $e){
+            echo json_encode(['success' => false, 'error' => $e->getMessage()]);
+            http_response_code(400);
+            die;
+        }
        $entityManager->persist($event);
        $entityManager->flush();
                
                echo json_encode(['success' => true, 'id' => $event->getId()]);
        }
        elseif($_GET['action'] === 'update_event'){
-        $event = $entityManager->find('App\Entity\Event', $json['id']);
+        $event = $entityManager->find('App\Entity\Event', (int)$json['id']);
-        $event->updateFromJSON($json);
+        try{
+            $event->securedUpdateFromJSON($json);
+        }
+        catch(InvalidArgumentException $e){
+            echo json_encode(['success' => false, 'error' => $e->getMessage()]);
+            http_response_code(400);
+            die;
+        }
        $entityManager->flush();
                echo json_encode(['success' => true]);
        }
        elseif($_GET['action'] === 'remove_event'){
-        $event = $entityManager->find('App\Entity\Event', $json['id']);
+        $event = $entityManager->find('App\Entity\Event', (int)$json['id']);
        $entityManager->remove($event);
        $entityManager->flush();
diff --git a/src/model/entities/Event.php b/src/model/entities/Event.php
index c85832f..ae0d396 100644
--- a/src/model/entities/Event.php
+++ b/src/model/entities/Event.php
@@ -39,23 +39,27 @@ class Event
    #[ORM\Column(type: 'string', length: 7, nullable: true)]
    private ?string $color = null;
-    public function __construct(string $title, string|\DateTimeInterface $start, string|\DateTimeInterface $end, bool $all_day, string $description = '', string $color = null){
+    public function __construct(array $json){
-        $this->title = $title;
+        $this->securedUpdateFromJSON($json);
-        $this->description = $description;
-        $this->start = gettype($start) === 'string' ? new \DateTime($start) : $start;
-        $this->end = gettype($end) === 'string' ? new \DateTime($end) : $end;
-        $this->all_day = $all_day;
-        $this->color = $color;
    }
-    public function updateFromJSON(array $json): void
+    public function securedUpdateFromJSON(array $json): void
    {
-        $this->title = $json['title'];
+        $this->title = htmlspecialchars($json['title']);
-        $this->description = $json['description'];
+        $this->description = htmlspecialchars($json['description']);
-        $this->start = new \DateTime($json['start']);
+        try{
-        $this->end = new \DateTime($json['end']);
+            $this->start = new \Datetime($json['start']);
-        $this->all_day = $json['allDay'];
+            $this->end = new \Datetime($json['end']);
-        $this->color = $json['color'];
+        }
+        catch(\Exception $e){
+            throw new \InvalidArgumentException('Bad date input');
+        }
+        $all_day = filter_var($json['allDay'] ?? null, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+        if(!is_bool($all_day)){
+            throw new \InvalidArgumentException('Bad checkbox input');
+        }
+        $this->all_day = $all_day;
+        $this->color = isset($json['color']) ? htmlspecialchars($json['color']) : null;
    }
    public function getId(): int
author	polo <ordipolo@gmx.fr>	2025-06-24 02:02:44 +0200
committer	polo <ordipolo@gmx.fr>	2025-06-24 02:02:44 +0200
commit	41adf94ebf868232aa43fe9b8b80029896da9da7 (patch)
tree	3c3842bd1d1830b68576d912cd506859f1dd5bef /src
parent	ff2a45feb0080b89db8c6193306a4676705ea607 (diff)
download	cms-41adf94ebf868232aa43fe9b8b80029896da9da7.zip

diff --git a/src/controller/Security.php b/src/controller/Security.php index cd31cb8..b882d42 100644 --- a/src/controller/Security.php +++ b/src/controller/Security.php
@@ -22,7 +22,7 @@ class Security
22	// ATTENTION, n'applique pas htmlspecialchars() !!	22	// ATTENTION, n'applique pas htmlspecialchars() !!
23	public static function secureString(string $chaine): string	23	public static function secureString(string $chaine): string
24	{	24	{
25	return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));;	25	return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));
26	}	26	}
27		27
28	public static function secureFileName(string $chaine): string	28	public static function secureFileName(string $chaine): string


diff --git a/src/controller/ajax_calendar.php b/src/controller/ajax_calendar.php index 834c88b..79268f6 100644 --- a/src/controller/ajax_calendar.php +++ b/src/controller/ajax_calendar.php
@@ -46,22 +46,35 @@ elseif(isset($_SESSION['admin']) && $_SESSION['admin'] === true
46	$json = json_decode($data, true);	46	$json = json_decode($data, true);
47		47
48	if($_GET['action'] === 'new_event'){	48	if($_GET['action'] === 'new_event'){
49	$event = new Event($json['title'], $json['start'], $json['end'], $json['allDay'], $json["description"], $json['color']);	49	try{
50		50	$event = new Event($json);
		51	}
		52	catch(InvalidArgumentException $e){
		53	echo json_encode(['success' => false, 'error' => $e->getMessage()]);
		54	http_response_code(400);
		55	die;
		56	}
51	$entityManager->persist($event);	57	$entityManager->persist($event);
52	$entityManager->flush();	58	$entityManager->flush();
53		59
54	echo json_encode(['success' => true, 'id' => $event->getId()]);	60	echo json_encode(['success' => true, 'id' => $event->getId()]);
55	}	61	}
56	elseif($_GET['action'] === 'update_event'){	62	elseif($_GET['action'] === 'update_event'){
57	$event = $entityManager->find('App\Entity\Event', $json['id']);	63	$event = $entityManager->find('App\Entity\Event', (int)$json['id']);
58	$event->updateFromJSON($json);	64	try{
		65	$event->securedUpdateFromJSON($json);
		66	}
		67	catch(InvalidArgumentException $e){
		68	echo json_encode(['success' => false, 'error' => $e->getMessage()]);
		69	http_response_code(400);
		70	die;
		71	}
59	$entityManager->flush();	72	$entityManager->flush();
60		73
61	echo json_encode(['success' => true]);	74	echo json_encode(['success' => true]);
62	}	75	}
63	elseif($_GET['action'] === 'remove_event'){	76	elseif($_GET['action'] === 'remove_event'){
64	$event = $entityManager->find('App\Entity\Event', $json['id']);	77	$event = $entityManager->find('App\Entity\Event', (int)$json['id']);
65	$entityManager->remove($event);	78	$entityManager->remove($event);
66	$entityManager->flush();	79	$entityManager->flush();
67		80


diff --git a/src/model/entities/Event.php b/src/model/entities/Event.php index c85832f..ae0d396 100644 --- a/src/model/entities/Event.php +++ b/src/model/entities/Event.php
@@ -39,23 +39,27 @@ class Event
39	#[ORM\Column(type: 'string', length: 7, nullable: true)]	39	#[ORM\Column(type: 'string', length: 7, nullable: true)]
40	private ?string $color = null;	40	private ?string $color = null;
41		41
42	public function __construct(string $title, string\|\DateTimeInterface $start, string\|\DateTimeInterface $end, bool $all_day, string $description = '', string $color = null){	42	public function __construct(array $json){
43	$this->title = $title;	43	$this->securedUpdateFromJSON($json);
44	$this->description = $description;
45	$this->start = gettype($start) === 'string' ? new \DateTime($start) : $start;
46	$this->end = gettype($end) === 'string' ? new \DateTime($end) : $end;
47	$this->all_day = $all_day;
48	$this->color = $color;
49	}	44	}
50		45
51	public function updateFromJSON(array $json): void	46	public function securedUpdateFromJSON(array $json): void
52	{	47	{
53	$this->title = $json['title'];	48	$this->title = htmlspecialchars($json['title']);
54	$this->description = $json['description'];	49	$this->description = htmlspecialchars($json['description']);
55	$this->start = new \DateTime($json['start']);	50	try{
56	$this->end = new \DateTime($json['end']);	51	$this->start = new \Datetime($json['start']);
57	$this->all_day = $json['allDay'];	52	$this->end = new \Datetime($json['end']);
58	$this->color = $json['color'];	53	}
		54	catch(\Exception $e){
		55	throw new \InvalidArgumentException('Bad date input');
		56	}
		57	$all_day = filter_var($json['allDay'] ?? null, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
		58	if(!is_bool($all_day)){
		59	throw new \InvalidArgumentException('Bad checkbox input');
		60	}
		61	$this->all_day = $all_day;
		62	$this->color = isset($json['color']) ? htmlspecialchars($json['color']) : null;
59	}	63	}
60		64
61	public function getId(): int	65	public function getId(): int