Business
/
TaskFloor
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add rich input sanitization with htmlpurifier

Browse Source
master
Skylar Ittner 7 years ago
parent a8a55f699e
commit 54063e63cd
5 changed files with 68 additions and 14 deletions
Show Stats Download Patch File Download Diff File

9
action.php
Unescape Escape View File

@ -102,12 +102,17 @@ switch ($VARS['action']) {
die();
}
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$taskdesc = $purifier->purify($VARS['taskdesc']);
//$taskdesc = $VARS['taskdesc'];
if (is_empty($VARS['taskid'])) {
$database->insert('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $VARS['taskdesc'], 'taskcreatoruid' => $_SESSION['uid']]);
$database->insert('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $taskdesc, 'taskcreatoruid' => $_SESSION['uid']]);
$VARS['taskid'] = $database->id();
header('Location: app.php?page=edittask&taskid=' . $database->id() . '&msg=task_saved');
} else {
$database->update('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $VARS['taskdesc']], ['taskid' => $VARS['taskid']]);
$database->update('tasks', ['tasktitle' => $VARS['tasktitle'], 'taskdesc' => $taskdesc], ['taskid' => $VARS['taskid']]);
header('Location: app.php?page=edittask&taskid=' . $VARS['taskid'] . '&msg=task_saved');
}

3
composer.json
Unescape Escape View File

@ -4,7 +4,8 @@
"type": "project",
"require": {
"catfan/medoo": "^1.2",
"guzzlehttp/guzzle": "^6.2"
"guzzlehttp/guzzle": "^6.2",
"ezyang/htmlpurifier": "^4.9"
},
"license": "OTHER",
"authors": [

60
composer.lock generated
Unescape Escape View File

@ -4,7 +4,8 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"This file is @generated automatically"
],
"content-hash": "1c8b61c5d506ae016285b99b20040cf0",
"hash": "8e38254e3739787b4de62b754445585d",
"content-hash": "63c81acf75eb3b29eebe3171a18b4d9f",
"packages": [
{
"name": "catfan/medoo",
@ -63,7 +64,54 @@
"sql",
"sqlite"
],
"time": "2017-05-22T04:39:48+00:00"
"time": "2017-05-22 04:39:48"
},
{
"name": "ezyang/htmlpurifier",
"version": "v4.9.3",
"source": {
"type": "git",
"url": "https://github.com/ezyang/htmlpurifier.git",
"reference": "95e1bae3182efc0f3422896a3236e991049dac69"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/95e1bae3182efc0f3422896a3236e991049dac69",
"reference": "95e1bae3182efc0f3422896a3236e991049dac69",
"shasum": ""
},
"require": {
"php": ">=5.2"
},
"require-dev": {
"simpletest/simpletest": "^1.1"
},
"type": "library",
"autoload": {
"psr-0": {
"HTMLPurifier": "library/"
},
"files": [
"library/HTMLPurifier.composer.php"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"LGPL"
],
"authors": [
{
"name": "Edward Z. Yang",
"email": "admin@htmlpurifier.org",
"homepage": "http://ezyang.com"
}
],
"description": "Standards compliant HTML filter written in PHP",
"homepage": "http://htmlpurifier.org/",
"keywords": [
"html"
],
"time": "2017-06-03 02:28:16"
},
{
"name": "guzzlehttp/guzzle",
@ -125,7 +173,7 @@
"rest",
"web service"
],
"time": "2017-02-28T22:50:30+00:00"
"time": "2017-02-28 22:50:30"
},
{
"name": "guzzlehttp/promises",
@ -176,7 +224,7 @@
"keywords": [
"promise"
],
"time": "2016-12-20T10:07:11+00:00"
"time": "2016-12-20 10:07:11"
},
{
"name": "guzzlehttp/psr7",
@ -241,7 +289,7 @@
"uri",
"url"
],
"time": "2017-03-20T17:10:46+00:00"
"time": "2017-03-20 17:10:46"
},
{
"name": "psr/http-message",
@ -291,7 +339,7 @@
"request",
"response"
],
"time": "2016-08-06T14:39:51+00:00"
"time": "2016-08-06 14:39:51"
}
],
"packages-dev": [],

6
pages/edittask.php
Unescape Escape View File

@ -57,10 +57,10 @@ if (!is_empty($taskid) && $database->has('assigned_tasks', ['taskid' => $taskid]
<?php lang("assigned to") ?>:
<input type="text" id="assigned-to-box" name="assignedto" class="form-control" autocomplete="off" value="<?php echo (is_null($tass['userid']) ? "" : getUserByID($tass['userid'])['username'] ); ?>" placeholder="<?php lang("nobody") ?>" />
<br />
<?php lang("assigned on 2") ?>: <input type="datetime-local" class="form-control" id="assigned-on-box" name="taskassignedon" value="<?php echo date('o-m-d\TH:i:s', strtotime($task['taskassignedon'])); ?>" />
<p><i class="fa fa-info-circle"></i> <?php lang("use now tip") ?></p>
<?php lang("assigned on 2") ?>: <input type="datetime-local" class="form-control" id="assigned-on-box" name="taskassignedon" value="<?php echo (is_empty($task['taskassignedon']) ? "" : date('o-m-d\TH:i:s', strtotime($task['taskassignedon']))); ?>" />
<!--<p><i class="fa fa-info-circle"></i> <?php lang("use now tip") ?></p>-->
<br />
<?php lang("due by 2") ?>: <input type="datetime-local" class="form-control" id="due-by-box" name="taskdueby" value="<?php echo date('o-m-d\TH:i:s', strtotime($task['taskdueby'])); ?>"/>
<?php lang("due by 2") ?>: <input type="datetime-local" class="form-control" id="due-by-box" name="taskdueby" value="<?php echo (is_empty($task['taskdueby']) ? "" : date('o-m-d\TH:i:s', strtotime($task['taskdueby']))); ?>"/>
<br />
<button id="savebtn" type="submit" class="btn btn-success"><i class="fa fa-floppy-o"></i> <?php lang("save task") ?></button>
<a class="btn btn-warning" href="app.php?page=taskman"><i class="fa fa-times"></i> <?php lang("exit") ?></a>

4
required.php
Unescape Escape View File

@ -156,7 +156,7 @@ function checkDBError($specials = []) {
}
/*
* http://stackoverflow.com/a/20075147/2534036
* http://stackoverflow.com/a/20075147
*/
if (!function_exists('base_url')) {
@ -200,7 +200,7 @@ function redirectIfNotLoggedIn() {
}
/**
* http://stackoverflow.com/a/24401462/2534036
* http://stackoverflow.com/a/24401462
*/
function checkIsAValidDate($myDateString) {
return (bool) strtotime($myDateString);

Write Preview
Loading…
Cancel
Save