From 41adf94ebf868232aa43fe9b8b80029896da9da7 Mon Sep 17 00:00:00 2001 From: polo Date: Tue, 24 Jun 2025 02:02:44 +0200 Subject: =?UTF-8?q?saisie=20s=C3=A9curis=C3=A9e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- public/css/calendar.css | 4 ++-- public/js/calendar_admin.js | 1 - src/controller/Security.php | 2 +- src/controller/ajax_calendar.php | 23 ++++++++++++++++++----- src/model/entities/Event.php | 32 ++++++++++++++++++-------------- 5 files changed, 39 insertions(+), 23 deletions(-) diff --git a/public/css/calendar.css b/public/css/calendar.css index fb2b2fa..ba9a462 100644 --- a/public/css/calendar.css +++ b/public/css/calendar.css @@ -8,10 +8,10 @@ display: flex; gap: 5px; padding: 15px; - /*max-width: 1000px;*/ + max-width: 1170px; } #calendar{ - width: 1170px; + width: 1165px; /* on enlève le "gap" */ } .event_title_box{ display: flex; diff --git a/public/js/calendar_admin.js b/public/js/calendar_admin.js index 8d764d8..76a1ce9 100644 --- a/public/js/calendar_admin.js +++ b/public/js/calendar_admin.js @@ -206,7 +206,6 @@ document.addEventListener('DOMContentLoaded', function(){ event_start = new Date(event_start).toISOString(); event_end = new Date(event_end).toISOString(); } - console.log(event_end); if(event_start > event_end || (!event_all_day && event_start == event_end)){ return; diff --git a/src/controller/Security.php b/src/controller/Security.php index cd31cb8..b882d42 100644 --- a/src/controller/Security.php +++ b/src/controller/Security.php @@ -22,7 +22,7 @@ class Security // ATTENTION, n'applique pas htmlspecialchars() !! public static function secureString(string $chaine): string { - return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed));; + return trim(htmLawed($chaine, self::$configHtmLawed, self::$specHtmLawed)); } public static function secureFileName(string $chaine): string diff --git a/src/controller/ajax_calendar.php b/src/controller/ajax_calendar.php index 834c88b..79268f6 100644 --- a/src/controller/ajax_calendar.php +++ b/src/controller/ajax_calendar.php @@ -46,22 +46,35 @@ elseif(isset($_SESSION['admin']) && $_SESSION['admin'] === true $json = json_decode($data, true); if($_GET['action'] === 'new_event'){ - $event = new Event($json['title'], $json['start'], $json['end'], $json['allDay'], $json["description"], $json['color']); - + try{ + $event = new Event($json); + } + catch(InvalidArgumentException $e){ + echo json_encode(['success' => false, 'error' => $e->getMessage()]); + http_response_code(400); + die; + } $entityManager->persist($event); $entityManager->flush(); echo json_encode(['success' => true, 'id' => $event->getId()]); } elseif($_GET['action'] === 'update_event'){ - $event = $entityManager->find('App\Entity\Event', $json['id']); - $event->updateFromJSON($json); + $event = $entityManager->find('App\Entity\Event', (int)$json['id']); + try{ + $event->securedUpdateFromJSON($json); + } + catch(InvalidArgumentException $e){ + echo json_encode(['success' => false, 'error' => $e->getMessage()]); + http_response_code(400); + die; + } $entityManager->flush(); echo json_encode(['success' => true]); } elseif($_GET['action'] === 'remove_event'){ - $event = $entityManager->find('App\Entity\Event', $json['id']); + $event = $entityManager->find('App\Entity\Event', (int)$json['id']); $entityManager->remove($event); $entityManager->flush(); diff --git a/src/model/entities/Event.php b/src/model/entities/Event.php index c85832f..ae0d396 100644 --- a/src/model/entities/Event.php +++ b/src/model/entities/Event.php @@ -39,23 +39,27 @@ class Event #[ORM\Column(type: 'string', length: 7, nullable: true)] private ?string $color = null; - public function __construct(string $title, string|\DateTimeInterface $start, string|\DateTimeInterface $end, bool $all_day, string $description = '', string $color = null){ - $this->title = $title; - $this->description = $description; - $this->start = gettype($start) === 'string' ? new \DateTime($start) : $start; - $this->end = gettype($end) === 'string' ? new \DateTime($end) : $end; - $this->all_day = $all_day; - $this->color = $color; + public function __construct(array $json){ + $this->securedUpdateFromJSON($json); } - public function updateFromJSON(array $json): void + public function securedUpdateFromJSON(array $json): void { - $this->title = $json['title']; - $this->description = $json['description']; - $this->start = new \DateTime($json['start']); - $this->end = new \DateTime($json['end']); - $this->all_day = $json['allDay']; - $this->color = $json['color']; + $this->title = htmlspecialchars($json['title']); + $this->description = htmlspecialchars($json['description']); + try{ + $this->start = new \Datetime($json['start']); + $this->end = new \Datetime($json['end']); + } + catch(\Exception $e){ + throw new \InvalidArgumentException('Bad date input'); + } + $all_day = filter_var($json['allDay'] ?? null, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); + if(!is_bool($all_day)){ + throw new \InvalidArgumentException('Bad checkbox input'); + } + $this->all_day = $all_day; + $this->color = isset($json['color']) ? htmlspecialchars($json['color']) : null; } public function getId(): int -- cgit v1.2.3