Feature 4437 violate sanitize message

e48fa888 · Carsten Rose · c4f24888 · e48fa888 · e48fa888 · e48fa888
Commit e48fa888 authored Feb 03, 2018 by Carsten Rose
--- a/extension/qfq/qfq/AbstractBuildForm.php
+++ b/extension/qfq/qfq/AbstractBuildForm.php
@@ -1129,14 +1129,16 @@ abstract class AbstractBuildForm {
        }

        $attribute .= $this->getAttributeList($formElement, [FE_INPUT_AUTOCOMPLETE, 'autofocus', 'placeholder']);
-        $attribute .= $this->getAttributeList($formElement, [F_FE_DATA_PATTERN_ERROR, F_FE_DATA_REQUIRED_ERROR, F_FE_DATA_MATCH_ERROR, F_FE_DATA_ERROR]);
-        $attribute .= Support::doAttribute('data-load', ($formElement[FE_DYNAMIC_UPDATE] === 'yes') ? 'data-load' : '');
-        $attribute .= Support::doAttribute('title', $formElement[FE_TOOLTIP]);

-        $pattern = Sanitize::getInputCheckPattern($formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], $formElement[FE_DECIMAL_FORMAT]);
+        $pattern = Sanitize::getInputCheckPattern($formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], $formElement[FE_DECIMAL_FORMAT], $sanitizeMessage);
        $attribute .= ($pattern === '') ? '' : 'pattern="' . $pattern . '" ';
+        if (empty($formElement[F_FE_DATA_PATTERN_ERROR])) {
+            $formElement[F_FE_DATA_PATTERN_ERROR] = $sanitizeMessage;
+        };
+        $attribute .= $this->getAttributeList($formElement, [F_FE_DATA_PATTERN_ERROR, F_FE_DATA_REQUIRED_ERROR, F_FE_DATA_MATCH_ERROR, F_FE_DATA_ERROR, FE_MIN, FE_MAX]);
+        $attribute .= Support::doAttribute('data-load', ($formElement[FE_DYNAMIC_UPDATE] === 'yes') ? 'data-load' : '');
+        $attribute .= Support::doAttribute('title', $formElement[FE_TOOLTIP]);

-        $attribute .= $this->getAttributeList($formElement, [FE_MIN, FE_MAX]);

        $attribute .= $this->getAttributeFeMode($formElement[FE_MODE], false);

@@ -3113,7 +3115,7 @@ abstract class AbstractBuildForm {
        $attribute .= Support::doAttribute('data-load', ($formElement[FE_DYNAMIC_UPDATE] === 'yes') ? 'data-load' : '');
        $attribute .= Support::doAttribute('title', $formElement[FE_TOOLTIP]);

-        $pattern = Sanitize::getInputCheckPattern($formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN]);
+        $pattern = Sanitize::getInputCheckPattern($formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], '', $rcSanitizeMessage);
        $attribute .= ($pattern === '') ? '' : 'pattern="' . $pattern . '" ';

        $attribute .= $this->getAttributeList($formElement, [FE_MIN, FE_MAX]);

--- a/extension/qfq/qfq/helper/Sanitize.php
+++ b/extension/qfq/qfq/helper/Sanitize.php
@@ -22,6 +22,26 @@ require_once(__DIR__ . '/../../qfq/Constants.php');
 */
 class Sanitize {

+    private static $sanitizePattern = [
+        SANITIZE_ALLOW_ALNUMX => '^[@\-_\.,;: \/\(\)a-zA-Z0-9ÀÈÌÒÙàèìòùÁÉÍÓÚÝáéíóúýÂÊÎÔÛâêîôûÃÑÕãñõÄËÏÖÜŸäëïöüÿç]*$', // ':alnum:' does not work here in FF
+        SANITIZE_ALLOW_DIGIT => '^[\d]*$',
+        SANITIZE_ALLOW_NUMERICAL => '^[\d.+-]*$',
+        SANITIZE_ALLOW_EMAIL => '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$',
+        SANITIZE_ALLOW_PATTERN => '',
+        SANITIZE_ALLOW_ALLBUT => '^[^\[\]{}%&\\\\#]*$',
+        SANITIZE_ALLOW_ALL => '.*',
+    ];
+
+    private static $sanitizeMessage = [
+        SANITIZE_ALLOW_ALNUMX => 'Allowed characters: 0...9, [latin character], @-_.m;: /()',
+        SANITIZE_ALLOW_DIGIT => 'Allowed characters: 0...9',
+        SANITIZE_ALLOW_NUMERICAL => 'Allowed characters: 0...9 and .+-',
+        SANITIZE_ALLOW_EMAIL => 'Requested format: string@domain',
+        SANITIZE_ALLOW_PATTERN => 'Please match the requested format',
+        SANITIZE_ALLOW_ALLBUT => 'Forbidden characters: ^[]{}%&\#',
+        SANITIZE_ALLOW_ALL => '',
+    ];
+

    private function __construct() {
        // Class should never be instantiated
@@ -42,7 +62,8 @@ class Sanitize {
     * @throws \qfq\CodeException
     */
    public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $pattern = '', $decimalFormat = '', $mode = SANITIZE_EMPTY_STRING) {
-        $pattern = self::getInputCheckPattern($sanitizeClass, $pattern, $decimalFormat);
+
+        $pattern = self::getInputCheckPattern($sanitizeClass, $pattern, $decimalFormat, $dummy);

        // Pattern check
        if ($pattern === '' || preg_match("/$pattern/", $value) === 1) {
@@ -65,10 +86,12 @@ class Sanitize {
     * @param string $pattern
     * @param string $decimalFormat e.g. "10,2"
     *
+     * @param string $rcSanitizeMessage Message specific to a pattern
     * @return string
     * @throws CodeException
     */
-    public static function getInputCheckPattern($checkType = SANITIZE_DEFAULT, $pattern = '', $decimalFormat = '') {
+    public static function getInputCheckPattern($checkType = SANITIZE_DEFAULT, $pattern = '', $decimalFormat = '', &$rcSanitizeMessage) {
+
        switch ($checkType) {
            case SANITIZE_ALLOW_PATTERN:
                return $pattern;
@@ -82,19 +105,21 @@ class Sanitize {
            case SANITIZE_ALLOW_EMAIL:
            case SANITIZE_ALLOW_ALNUMX:
            case SANITIZE_ALLOW_ALLBUT:
-                $arr = self::inputCheckPatternArray();
-                $pattern = $arr[$checkType];
+            $pattern = self::$sanitizePattern[$checkType];
                break;

            default:
                throw new CodeException("Unknown checkType: " . $checkType, ERROR_UNKNOWN_CHECKTYPE);
        }

+        $rcSanitizeMessage = self::$sanitizeMessage[$checkType];
+
        // decimalFormat
        if ($decimalFormat != '' && $checkType !== SANITIZE_ALLOW_DIGIT) {
            // overwrite pattern with decimalFormat pattern
            $decimalFormatArray = explode(',', $decimalFormat);
            $pattern = "^-?[0-9]{0," . ($decimalFormatArray[0] - $decimalFormatArray[1]) . "}(\.[0-9]{0,$decimalFormatArray[1]})?$";
+            $rcSanitizeMessage = "Requested decimal format (mantis,decimal): $decimalFormat";
        }

        return $pattern;
@@ -136,22 +161,6 @@ class Sanitize {
        return '';
    }

-    /**
-     * @return array
-     */
-    public static function inputCheckPatternArray() {
-        //EMail Regex: http://www.regular-expressions.info/email.html
-        return [
-            SANITIZE_ALLOW_ALNUMX => '^[@\-_\.,;: \/\(\)a-zA-Z0-9ÀÈÌÒÙàèìòùÁÉÍÓÚÝáéíóúýÂÊÎÔÛâêîôûÃÑÕãñõÄËÏÖÜŸäëïöüÿç]*$', // ':alnum:' does not work here in FF
-            SANITIZE_ALLOW_DIGIT => '^[\d]*$',
-            SANITIZE_ALLOW_NUMERICAL => '^[\d.+-]*$',
-            SANITIZE_ALLOW_EMAIL => '^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$',
-            SANITIZE_ALLOW_PATTERN => '',
-            SANITIZE_ALLOW_ALLBUT => '^[^\[\]{}%&\\\\#]*$',
-            SANITIZE_ALLOW_ALL => '.*',
-        ];
-    }
-
    /**
     * Sanitizes a filename. Copied from http://www.phpit.net/code/filename-safe/
     *

--- a/extension/qfq/tests/phpunit/BuildFormPlainTest.php
+++ b/extension/qfq/tests/phpunit/BuildFormPlainTest.php
@@ -117,13 +117,13 @@ class BuildFormPlainTest extends AbstractDatabaseTest {
        $formElement[FE_CHECK_TYPE] = SANITIZE_ALLOW_DIGIT;
        $formElement[FE_CHECK_PATTERN] = '';
        $result = $build->buildInput($formElement, 'name:1', '', $json);
-        $this->assertEquals('<input id="123" name="name:1" class="form-control" maxlength="255" type="input" value="" pattern="^[\d]*$" data-hidden="no" data-required="no" ><div class="help-block with-errors hidden"></div>', $result);
+        $this->assertEquals('<input id="123" name="name:1" class="form-control" maxlength="255" type="input" value="" pattern="^[\d]*$" data-pattern-error="Allowed characters: 0...9" data-hidden="no" data-required="no" ><div class="help-block with-errors hidden"></div>', $result);
        $this->assertEquals(['disabled' => false, FE_MODE_REQUIRED => '', 'form-element' => 'name:1', 'value' => '', 'disabled' => false, API_ELEMENT_UPDATE => $label], $json);

        $formElement[FE_CHECK_TYPE] = SANITIZE_ALLOW_EMAIL;
        $formElement[FE_CHECK_PATTERN] = '';
        $result = $build->buildInput($formElement, 'name:1', '', $json);
-        $this->assertEquals('<input id="123" name="name:1" class="form-control" maxlength="255" type="input" value="" pattern="^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$" data-hidden="no" data-required="no" ><div class="help-block with-errors hidden"></div>', $result);
+        $this->assertEquals('<input id="123" name="name:1" class="form-control" maxlength="255" type="input" value="" pattern="^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$" data-pattern-error="Requested format: string@domain" data-hidden="no" data-required="no" ><div class="help-block with-errors hidden"></div>', $result);
        $this->assertEquals(['disabled' => false, FE_MODE_REQUIRED => '', 'form-element' => 'name:1', 'value' => '', 'disabled' => false, API_ELEMENT_UPDATE => $label], $json);

        $formElement[FE_CHECK_TYPE] = SANITIZE_ALLOW_ALL;
@@ -133,7 +133,7 @@ class BuildFormPlainTest extends AbstractDatabaseTest {
        // Decimal format
        $formElement[FE_DECIMAL_FORMAT] = '5,2';
        $result = $build->buildInput($formElement, 'name:1', '', $json);
-        $this->assertEquals('<input id="123" name="name:1" class="form-control" maxlength="255" type="input" value="" pattern="^-?[0-9]{0,3}(\.[0-9]{0,2})?$" data-hidden="no" data-required="no" ><div class="help-block with-errors hidden"></div>', $result);
+        $this->assertEquals('<input id="123" name="name:1" class="form-control" maxlength="255" type="input" value="" pattern="^-?[0-9]{0,3}(\.[0-9]{0,2})?$" data-pattern-error="Requested decimal format (mantis,decimal): 5,2" data-hidden="no" data-required="no" ><div class="help-block with-errors hidden"></div>', $result);
        $this->assertEquals(['disabled' => false, FE_MODE_REQUIRED => '', 'form-element' => 'name:1', 'value' => '', 'disabled' => false, API_ELEMENT_UPDATE => $label], $json);

        $formElement[FE_DECIMAL_FORMAT] = '';