Commit 9e2a53af authored by Elias Villiger's avatar Elias Villiger
Browse files

Add min/max constants, refactor Sanitize::sanitize() #5309

parent 7bdb6f36
......@@ -962,6 +962,10 @@ const FE_IMAGE_CUT_ORIGINAL_EXTENSION = '.save';
const FE_FLAG_ROW_OPEN_TAG = '_flagRowOpenTag'; // will be automatically computed during Formload: true | false
const FE_FLAG_ROW_CLOSE_TAG = '_flagRowCloseTag'; // will be automatically computed during Formload: true | false
const FE_MIN = 'min';
const FE_MAX = 'max';
const FE_MIN_MAX_COMPARE_MODE = 'minMaxCompareMode';
const RETYPE_FE_NAME_EXTENSION = 'RETYPE';
const TYPEAHEAD_PLACEHOLDER = '?';
......
......@@ -58,7 +58,7 @@ class Evaluate {
}
/**
* Evaluate a whole array or a array of arrays.
* Evaluate a whole array or an array of arrays.
*
* @param $tokenArray
* @param array $skip Optional Array with keynames, which will not be evaluated.
......
......@@ -654,7 +654,7 @@ class QuickFormQuery {
$formSpec = $this->eval->parseArray($form);
// Setting defaults later is to late.
// Setting defaults later is too late.
if (!isset($formSpec[F_DB_INDEX_DATA])) {
$formSpec[F_DB_INDEX_DATA] = $this->dbIndexData;
}
......
......@@ -96,7 +96,7 @@ $UPDATE_ARRAY = array(
'0.25.10' => [
"ALTER TABLE `FormElement` CHANGE `type` `type` ENUM( 'checkbox', 'date', 'datetime', 'dateJQW', 'datetimeJQW', 'extra', 'gridJQW', 'text', 'editor', 'annotate', 'imageCut', 'time', 'note', 'password', 'radio', 'select', 'subrecord', 'upload', 'fieldset', 'pill', 'templateGroup', 'beforeLoad', 'beforeSave', 'beforeInsert', 'beforeUpdate', 'beforeDelete', 'afterLoad', 'afterSave', 'afterInsert', 'afterUpdate', 'afterDelete', 'sendMail', 'paste' ) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'text';",
],
]
);
......
......@@ -32,71 +32,22 @@ class Sanitize {
* If check fails, depending on $mode, throws an UserException or return an empty string.
*
* @param string $value value to check
* @param string $sanitizeClass SANITIZE_ALLOW_*
* @param string $patternOrRange Pattern as regexp or MIN|MAX values
* @param $formElement
* @param string $mode SANITIZE_EXCEPTION | SANITIZE_EMPTY_STRING
*
* @return string
* @throws UserFormException
* @throws \qfq\CodeException
*/
public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $patternOrRange = '', $mode = SANITIZE_EMPTY_STRING) {
$pattern = '';
$minMax = array();
$valueCompare = '';
public static function sanitize($value, $formElement, $mode = SANITIZE_EMPTY_STRING) {
$sanitizeClass = $formElement[FE_CHECK_TYPE] || SANITIZE_DEFAULT;
$pattern = $formElement[FE_CHECK_PATTERN] || '';
$errorCode = 0;
$errorText = '';
// Prepare MIN|MAX
switch ($sanitizeClass) {
case SANITIZE_ALLOW_MIN_MAX:
$minMax = explode('|', $patternOrRange);
$valueCompare = $value;
break;
case SANITIZE_ALLOW_MIN_MAX_DATE:
$minMax = explode('|', $patternOrRange);
//TODO: hier sollten die Exceptions abgefangen werden um zwei unterschiedliche Fehlermeldungen ausgeben zu koenenn:
// a) der Value verletzt die Datumsgrenzen
// b) die Definition der Grenzen ist buggy
// try {
$valueCompare = Support::dateTimeGermanToInternational($value);
// } catch (UserFormException $e) {
// throw new UserFormException("Date or time not recognized '" . $value . "' - " . $e->formatMessage(), ERROR_SANATIZE_INVALID_VALUE);
// }
// try {
$minMax[0] = Support::dateTimeGermanToInternational($minMax[0]);
$minMax[1] = Support::dateTimeGermanToInternational($minMax[1]);
// } catch (UserFormException $e) {
// throw new UserFormException("Date or time of min|max definition not recognized '" . $patternOrRange . "' - " . $e->formatMessage(), ERROR_SANATIZE_INVALID_VALUE);
// }
break;
default:
break;
}
// Prepare Check
switch ($sanitizeClass) {
case SANITIZE_ALLOW_MIN_MAX:
case SANITIZE_ALLOW_MIN_MAX_DATE:
if ($minMax[0] === '' || $minMax[1] === '') {
throw new UserFormException('Missing definition of value for min or max.', ERROR_MISSING_MIN_MAX);
}
$errorText = "Value '$value' is out of range of '$patternOrRange'.";
if ($minMax[0] <= $valueCompare && $valueCompare <= $minMax[1])
return $value;
$errorCode = ERROR_MIN_MAX_VIOLATION;
break;
case SANITIZE_ALLOW_PATTERN:
$pattern = $patternOrRange;
break;
case SANITIZE_ALLOW_DIGIT:
......@@ -105,7 +56,7 @@ class Sanitize {
case SANITIZE_ALLOW_ALNUMX:
case SANITIZE_ALLOW_ALLBUT:
$arr = self::inputCheckPatternArray();
$pattern = $arr[$sanitizeClass];
$pattern = $arr[$sanitizeClass];
break;
case SANITIZE_ALLOW_ALL: // no checktype specified.
......
......@@ -239,7 +239,7 @@ class FillStoreForm {
// Check only if their is something.
if ($val !== '') {
$val = Sanitize::sanitize($val, $formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], SANITIZE_EXCEPTION);
$val = Sanitize::sanitize($val, $formElement, SANITIZE_EXCEPTION);
if ($formElement[FE_ENCODE] === FE_ENCODE_SPECIALCHAR) {
// $val = htmlspecialchars($val, ENT_QUOTES);
$val = Support::htmlEntityEncodeDecode(MODE_ENCODE, $val);
......
......@@ -473,12 +473,13 @@ class Store {
$rawVal = isset(self::$raw[$store][$finalKey]) ? self::$raw[$store][$finalKey] : null;
if (self::$sanitizeStore[$store] && $sanitizeClass != '') {
if ($sanitizeClass == SANITIZE_ALLOW_PATTERN || $sanitizeClass == SANITIZE_ALLOW_MIN_MAX || $sanitizeClass == SANITIZE_ALLOW_MIN_MAX_DATE) {
// We do not have any pattern or min|max values at this point. For those who be affected, they already checked earlier. So set 'no check'
if ($sanitizeClass == SANITIZE_ALLOW_PATTERN) {
// We do not have any pattern at this point. For those who be affected, they already checked earlier. So set 'no check'
$sanitizeClass = SANITIZE_ALLOW_ALL;
}
return \qfq\Sanitize::sanitize($rawVal, $sanitizeClass, '', SANITIZE_EMPTY_STRING);
$pseudoFormElement = [ FE_CHECK_TYPE => $sanitizeClass ];
return \qfq\Sanitize::sanitize($rawVal, $pseudoFormElement, SANITIZE_EMPTY_STRING);
} else {
if ($store == STORE_SIP && (substr($key, 0, $len) == SIP_PREFIX_BASE64)) {
$rawVal = base64_decode($rawVal);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment