Commit 2190b11c authored by Elias Villiger's avatar Elias Villiger
Browse files

Change sanitize function back, add separate checkMinMax function #5309

parent 07317b2a
......@@ -30,25 +30,17 @@ class Sanitize {
/**
* Check $value against given checkType/pattern. If check succeed, returns values.
* If check fails, depending on $mode, throws an UserException or return an empty string.
* Performs checkType checks and min/max checks.
*
* @param string $value value to check
* @param $formElement
* @param string $sanitizeClass
* @param string $pattern Pattern as regexp
* @param string $mode SANITIZE_EXCEPTION | SANITIZE_EMPTY_STRING
*
* @return string
* @throws UserFormException
* @throws \qfq\CodeException
*/
public static function sanitize($value, $formElement, $mode = SANITIZE_EMPTY_STRING) {
$sanitizeClass = Support::setIfNotSet($formElement, FE_CHECK_TYPE, SANITIZE_DEFAULT);
$pattern = Support::setIfNotSet($formElement, FE_CHECK_PATTERN);
$min = Support::setIfNotSet($formElement, FE_MIN, null);
$max = Support::setIfNotSet($formElement, FE_MAX, null);
// TODO: $minMaxCompareMode
$errorCode = 0;
$errorText = '';
public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $pattern = '', $mode = SANITIZE_EMPTY_STRING) {
// Prepare pattern check
switch ($sanitizeClass) {
case SANITIZE_ALLOW_PATTERN:
......@@ -64,41 +56,62 @@ class Sanitize {
break;
case SANITIZE_ALLOW_ALL: // no checkType specified.
$pattern = '';
break;
return $value;
default:
throw new CodeException("Unknown checkType: " . $sanitizeClass, ERROR_UNKNOWN_CHECKTYPE);
}
// Pattern check
if (pattern != '' && preg_match("/$pattern/", $value) !== 1) {
if ($pattern === '' || preg_match("/$pattern/", $value) === 1)
return $value;
// check failed
if ($mode === SANITIZE_EXCEPTION) {
$errorCode = ERROR_PATTERN_VIOLATION;
$errorText = "Value '$value' violates checkrule " . $sanitizeClass . " with pattern '$pattern'.";
throw new UserFormException($errorText, $errorCode);
}
// Min/max check (only necessary if pattern check passed)
// TODO: minMaxCompareMode: Default richtet sich nach Type des FE (bei type date: string, ansonsten: numerical)
if ($errorCode == 0) {
if ($min !== null && $value < $min) {
$errorCode = ERROR_SMALLER_THAN_MIN;
$errorText = "Value '$value' is smaller than the allowed minimum of '$min'.";
}
if ($max !== null && $value > $max) {
$errorCode = ERROR_LARGER_THAN_MAX;
$errorText = "Value '$value' is larger than the allowed maximum of '$max'.";
}
return '';
}
/**
* Check $value against $formElement's min/max values. If check succeeds, returns value.
* If check fails, depending on $mode, throws an UserException or return an empty string.
*
* @param string $value value to check
* @param $formElement
* @param string $mode SANITIZE_EXCEPTION | SANITIZE_EMPTY_STRING
*
* @return string
* @throws UserFormException
* @throws \qfq\CodeException
*/
public static function checkMinMax($value, $formElement, $mode = SANITIZE_EMPTY_STRING) {
$min = Support::setIfNotSet($formElement, FE_MIN, null);
$max = Support::setIfNotSet($formElement, FE_MAX, null);
$errorCode = 0;
$errorText = '';
if ($min !== null && $value < $min) {
$errorCode = ERROR_SMALLER_THAN_MIN;
$errorText = "Value '$value' is smaller than the allowed minimum of '$min'.";
}
if ($max !== null && $value > $max) {
$errorCode = ERROR_LARGER_THAN_MAX;
$errorText = "Value '$value' is larger than the allowed maximum of '$max'.";
}
if ($errorCode == 0) {
if ($errorCode == 0)
return $value;
} else { // check failed
if ($mode === SANITIZE_EXCEPTION) {
throw new UserFormException($errorText, $errorCode);
}
return '';
// check failed
if ($mode === SANITIZE_EXCEPTION) {
throw new UserFormException($errorText, $errorCode);
}
return '';
}
/**
......
......@@ -222,32 +222,36 @@ class FillStoreForm {
// copy value to $newValues
if (isset($clientValues[$clientFieldName])) {
if ($formElement[FE_DYNAMIC_UPDATE] === 'yes' || $formElement[FE_MODE] === FE_MODE_REQUIRED || $formElement[FE_MODE] === FE_MODE_SHOW) {
$val = $clientValues[$clientFieldName];
switch ($formElement[FE_TYPE]) {
case FE_TYPE_DATE:
case FE_TYPE_DATETIME:
case FE_TYPE_TIME:
if ($clientValues[$clientFieldName] !== '') // do not check empty values
$newValues[$formElement[FE_NAME]] = $this->doDateTime($formElement, $clientValues[$clientFieldName]);
$val = $this->doDateTime($formElement, $val);
break;
default:
$val = $clientValues[$clientFieldName];
if ($formElement[FE_TYPE] == FE_TYPE_EDITOR) {
// Tiny MCE always wrap a '<p>' around the content. Remove it before saving.
$val = Support::unWrapTag('<p>', $val);
}
// Check only if their is something.
// Check only if there is something.
if ($val !== '') {
$val = Sanitize::sanitize($val, $formElement, SANITIZE_EXCEPTION);
$val = Sanitize::sanitize($val, $formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], SANITIZE_EXCEPTION);
if ($formElement[FE_ENCODE] === FE_ENCODE_SPECIALCHAR) {
// $val = htmlspecialchars($val, ENT_QUOTES);
$val = Support::htmlEntityEncodeDecode(MODE_ENCODE, $val);
}
}
$newValues[$formElement[FE_NAME]] = $val;
break;
}
if ($val !== '')
$val = Sanitize::checkMinMax($val, $formElement, SANITIZE_EXCEPTION);
$newValues[$formElement[FE_NAME]] = $val;
}
}
}
......
......@@ -473,13 +473,12 @@ class Store {
$rawVal = isset(self::$raw[$store][$finalKey]) ? self::$raw[$store][$finalKey] : null;
if (self::$sanitizeStore[$store] && $sanitizeClass != '') {
if ($sanitizeClass == SANITIZE_ALLOW_PATTERN) {
if ($sanitizeClass == SANITIZE_ALLOW_PATTERN || $sanitizeClass == SANITIZE_ALLOW_MIN_MAX || $sanitizeClass == SANITIZE_ALLOW_MIN_MAX_DATE) {
// We do not have any pattern at this point. For those who be affected, they already checked earlier. So set 'no check'
$sanitizeClass = SANITIZE_ALLOW_ALL;
}
$pseudoFormElement = [ FE_CHECK_TYPE => $sanitizeClass ];
return \qfq\Sanitize::sanitize($rawVal, $pseudoFormElement, SANITIZE_EMPTY_STRING);
return \qfq\Sanitize::sanitize($rawVal, $sanitizeClass, '', SANITIZE_EMPTY_STRING);
} else {
if ($store == STORE_SIP && (substr($key, 0, $len) == SIP_PREFIX_BASE64)) {
$rawVal = base64_decode($rawVal);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment