Skip to content

GitLab

Commit fa36ff58 authored by Carsten Rose's avatar Carsten Rose
Browse files

Sanitize.php, FillStoreForm.php, Store.php, Manual.rst: Corrections. Replace... 

Sanitize.php, FillStoreForm.php,  Store.php, Manual.rst: Corrections. Replace 'sanatize' against 'sanitize'.
parent 670e6276
Hide whitespace changes
Inline Side-by-side
Showing with 35 additions and 35 deletions
doc/PROTOCOL.md
View file @ fa36ff58
......@@ -356,7 +356,7 @@ Server Response
## Glossary
SIP
: tbd
: Server Id Pairs
HTML Form Element
: Any `<input>` or `<select>` HTML tag. Synonymous to *Form Element*.
......
extension/Documentation/Manual.rst
View file @ fa36ff58
......@@ -750,7 +750,7 @@ defining the `escape` modifier `m`.
**QFQ notice**:
* Variables passed by the client (=Browser) are untrusted and use the default sanatize class 'digit' (if nothing else is
* Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
specified). If alpha characters are submitted, the content violates `digit` and becomes therefore empty - there is no
error message. Best is to always use SIP or digits.
......@@ -903,7 +903,7 @@ Predefined variable names
Store: *FORM* - F
^^^^^^^^^^^^^^^^^
* Sanatized: *yes*
* Sanitized: *yes*
* Represents the values in the form, typically before saving them.
* Used for:
......@@ -922,7 +922,7 @@ Store: *FORM* - F
Store: *SIP* - S
^^^^^^^^^^^^^^^^
* Sanatized: *no*
* Sanitized: *no*
* Filled automatically by creating links. E.g.:
* in `Report` by using `_page?` or `_link` (with active 's')
......@@ -949,7 +949,7 @@ Store: *SIP* - S
Store: *RECORD* - R
^^^^^^^^^^^^^^^^^^^
* Sanatized: *no*
* Sanitized: *no*
* Current record loaded in Form.
* If r=0, all values are empty.
......@@ -964,7 +964,7 @@ Store: *RECORD* - R
Store: *BEFORE* - B
^^^^^^^^^^^^^^^^^^^
* Sanatized: *no*
* Sanitized: *no*
* Current record loaded in Form without any modification.
* If r=0, all values are empty.
......@@ -981,7 +981,7 @@ This store is handy to compare new and old values of a form.
Store: *CLIENT* - C
^^^^^^^^^^^^^^^^^^^
* Sanatized: *yes*
* Sanitized: *yes*
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Name | Explanation |
......@@ -1012,7 +1012,7 @@ Store: *CLIENT* - C
Store: *TYPO3* (Bodytext) - T
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Sanatized: *no*
* Sanitized: *no*
+-------------------------+-------------------------------------------------------------------+----------+
| Name | Explanation | Note |
......@@ -1046,7 +1046,7 @@ Store: *TYPO3* (Bodytext) - T
Store: *VARS* - V
^^^^^^^^^^^^^^^^^
* Sanatized: *no*
* Sanitized: *no*
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------+
| Name | Explanation |
......@@ -1065,7 +1065,7 @@ Store: *VARS* - V
Store: *LDAP* - L
^^^^^^^^^^^^^^^^^
* Sanatized: *yes*
* Sanitized: *yes*
* See also :ref:`LDAP`:
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------+
......@@ -1081,7 +1081,7 @@ Store: *LDAP* - L
Store: *SYSTEM* - Y
^^^^^^^^^^^^^^^^^^^
* Sanatized: *no*
* Sanitized: *no*
+-------------------------+--------------------------------------------------------------------------+
| Name | Explanation |
......@@ -1329,7 +1329,7 @@ accessing STORE_LDAP easily, the keys are implemented case insensitive for this
The FLS happens *before* the main *FormElement* processing starts. Therefore the fetched LDAP data (specified by *ldapAttributes*),
are available via `{{<attributename>:L:allbut:s}}` during the regular *FormElement* processing. Take care to specify
a sanatize class and optional escaping on further processing of those data.
a sanitize class and optional escaping on further processing of those data.
Important: LDAP access might slow down the *Form* processing on load, update or save! The timeout (default: 3 seconds) have
to be multiplied by the number of accesses. E.g. a broken LDAP connection and 3 *FormELements* with *FSL*
......@@ -2141,7 +2141,7 @@ Note: If there are multiple pills defined on a form, only the first pill will be
extraButtonLock
;;;;;;;;;;;;;;;
* The user has to click on the lock, before it's possible to change the value. This will protect data against unwanted modifcation.
* The user has to click on the lock, before it's possible to change the value. This will protect data against unwanted modification.
* After Form load, the value is shown, but not editable.
* Shows a 'lock' on the right side of an input element of type `text`, `date`, `time` or `datetime`.
* This option is not available for FormElements with `mode=readonly`.
......@@ -2598,7 +2598,7 @@ and will be processed after saving the primary record and before any action Form
fileDestination={{SELECT 'fileadmin/user/pictures/', p.name, '-{{filename}}' FROM Person AS p WHERE p.id={{id:R0}} }}
* The original filename will be sanatized: only alnum characters are allowed. German 'umlaut' will be replaced by
* The original filename will be sanitized: only alnum characters are allowed. German 'umlaut' will be replaced by
'ae', 'ue', 'oe'. All non valid characters will be replaced by '-'.
* If a file already exist under `fileDestination`, an error message is shown and 'save' is aborted. The user has no
......@@ -2935,7 +2935,7 @@ To make a form dynamic:
See #3426 / Dynamic Update: Inputs loose the new content and shows the old value:
* On **all** `dynamic update` *FormElements* an explicit definition of `value`, including a sanatize class, is necessary
* On **all** `dynamic update` *FormElements* an explicit definition of `value`, including a sanitize class, is necessary
(except the field is numeric). **A missing definition let's the content overwrite all the time with the old value**.
A typical definition for `value` looks like::
......@@ -2948,8 +2948,8 @@ See #3426 / Dynamic Update: Inputs loose the new content and shows the old value
[receiving *FormElement*].parameter: itemList={{ SELECT IF({{carPriceRange:FE:alnumx}}='expensive','Ferrari,Tesla,Jaguar','General Motors,Honda,Seat,Fiat') }}
Remember to specify a 'sanatize' class - a missing sanatize class means 'digit', every content, which is not numeric,
violates the sanatize class and becomes therefore an empty string!
Remember to specify a 'sanitize' class - a missing sanitize class means 'digit', every content, which is not numeric,
violates the sanitize class and becomes therefore an empty string!
Examples
......@@ -3680,8 +3680,8 @@ FAQ
* Q: A variable {{<var>}} is shown as empty string, but there should be a value.
* A: The sanatize rule is violeted and therefore the value has been removed. Set {{<var>:<store>:all}} as a test.
Only STORE_CLIENT and STORE_FORM will be sanatized.
* A: The sanitize rule is violeted and therefore the value has been removed. Set {{<var>:<store>:all}} as a test.
Only STORE_CLIENT and STORE_FORM will be sanitized.
Report
......@@ -5304,5 +5304,5 @@ QFQ specific
Variable empty: {{...}}
^^^^^^^^^^^^^^^^^^^^^^^
Specify the required sanatize class. Remember: for STORE_FORM and STORE_CLIENT the default is `digit`. This means if
the variable content is a string, this violates the sanatize class and the replaced content will be an empty string!
\ No newline at end of file
Specify the required sanitize class. Remember: for STORE_FORM and STORE_CLIENT the default is `digit`. This means if
the variable content is a string, this violates the sanitize class and the replaced content will be an empty string!
\ No newline at end of file
extension/qfq/qfq/Constants.php
View file @ fa36ff58
......@@ -66,8 +66,8 @@ const SANITIZE_ALLOW_ALLBUT = "allbut";
const SANITIZE_ALLOW_ALL = "all";
const SANITIZE_DEFAULT = SANITIZE_ALLOW_DIGIT;
const SANATIZE_EXCEPTION = 'exception';
const SANATIZE_EMPTY_STRING = 'empty string';
const SANITIZE_EXCEPTION = 'exception';
const SANITIZE_EMPTY_STRING = 'empty string';
// Index wrap setup table
const WRAP_SETUP_TITLE = 'title';
......
extension/qfq/qfq/helper/Sanitize.php
View file @ fa36ff58
......@@ -32,14 +32,14 @@ class Sanitize {
* If check fails, depending on $mode, throws an UserException or return an empty string.
*
* @param string $value value to check
* @param string $sanatizeClass SANITIZE_ALLOW_*
* @param string $sanitizeClass SANITIZE_ALLOW_*
* @param string $patternOrRange Pattern as regexp or MIN|MAX values
* @param string $mode SANATIZE_EXCEPTION | SANATIZE_EMPTY_STRING
* @param string $mode SANITIZE_EXCEPTION | SANITIZE_EMPTY_STRING
* @return string
* @throws UserFormException
* @throws \qfq\CodeException
*/
public static function sanitize($value, $sanatizeClass = SANITIZE_DEFAULT, $patternOrRange = '', $mode = SANATIZE_EMPTY_STRING) {
public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $patternOrRange = '', $mode = SANITIZE_EMPTY_STRING) {
$pattern = '';
$minMax = array();
$valueCompare = '';
......@@ -47,7 +47,7 @@ class Sanitize {
$errorText = '';
// Prepare MIN|MAX
switch ($sanatizeClass) {
switch ($sanitizeClass) {
case SANITIZE_ALLOW_MIN_MAX:
$minMax = explode('|', $patternOrRange);
$valueCompare = $value;
......@@ -79,7 +79,7 @@ class Sanitize {
}
// Prepare Check
switch ($sanatizeClass) {
switch ($sanitizeClass) {
case SANITIZE_ALLOW_MIN_MAX:
case SANITIZE_ALLOW_MIN_MAX_DATE:
......@@ -104,14 +104,14 @@ class Sanitize {
case SANITIZE_ALLOW_ALNUMX:
case SANITIZE_ALLOW_ALLBUT:
$arr = self::inputCheckPatternArray();
$pattern = $arr[$sanatizeClass];
$pattern = $arr[$sanitizeClass];
break;
case SANITIZE_ALLOW_ALL: // no checktype specified.
return $value;
default:
throw new CodeException("Unknown checkType: " . $sanatizeClass, ERROR_UNKNOWN_CHECKTYPE);
throw new CodeException("Unknown checkType: " . $sanitizeClass, ERROR_UNKNOWN_CHECKTYPE);
}
// No error until here: do a final check
......@@ -122,9 +122,9 @@ class Sanitize {
$errorCode = ERROR_PATTERN_VIOLATION;
}
if ($mode === SANATIZE_EXCEPTION) {
if ($mode === SANITIZE_EXCEPTION) {
if ($errorText === '')
$errorText = "Value '$value' violates checkrule " . $sanatizeClass . " with pattern '$pattern'.";
$errorText = "Value '$value' violates checkrule " . $sanitizeClass . " with pattern '$pattern'.";
throw new UserFormException($errorText, $errorCode);
}
......
extension/qfq/qfq/store/FillStoreForm.php
View file @ fa36ff58
......@@ -223,7 +223,7 @@ class FillStoreForm {
$val = $clientValues[$clientFieldName];
// Check only if their is something
if ($val !== '') {
$val = Sanitize::sanitize($val, $formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], SANATIZE_EXCEPTION);
$val = Sanitize::sanitize($val, $formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], SANITIZE_EXCEPTION);
if ($formElement[FE_ENCODE] === FE_ENCODE_SPECIALCHAR) {
$val = htmlspecialchars($val, ENT_QUOTES);
}
......
extension/qfq/qfq/store/Store.php
View file @ fa36ff58
......@@ -459,7 +459,7 @@ class Store {
// We do not have any pattern or min|max values at this point. For those who be affected, they already checked earlier. So set 'no check'
$sanitizeClass = SANITIZE_ALLOW_ALL;
}
return \qfq\Sanitize::sanitize($rawVal, $sanitizeClass, '', SANATIZE_EMPTY_STRING);
return \qfq\Sanitize::sanitize($rawVal, $sanitizeClass, '', SANITIZE_EMPTY_STRING);
} else {
if ($store == STORE_SIP && (substr($key, 0, $len) == SIP_PREFIX_BASE64)) {
$rawVal = base64_decode($rawVal);
......
extension/qfq/tests/phpunit/SanitizeTest.php
View file @ fa36ff58
......@@ -263,7 +263,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
* @expectedException \qfq\UserFormException
*/
public function testSanitizeExceptionCheckFailed() {
Sanitize::sanitize('string', SANITIZE_ALLOW_DIGIT, '', SANATIZE_EXCEPTION);
Sanitize::sanitize('string', SANITIZE_ALLOW_DIGIT, '', SANITIZE_EXCEPTION);
}
/**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment