Commit fa36ff58 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Sanitize.php, FillStoreForm.php, Store.php, Manual.rst: Corrections. Replace...

Sanitize.php, FillStoreForm.php,  Store.php, Manual.rst: Corrections. Replace 'sanatize' against 'sanitize'.
parent 670e6276
...@@ -356,7 +356,7 @@ Server Response ...@@ -356,7 +356,7 @@ Server Response
## Glossary ## Glossary
SIP SIP
: tbd : Server Id Pairs
HTML Form Element HTML Form Element
: Any `<input>` or `<select>` HTML tag. Synonymous to *Form Element*. : Any `<input>` or `<select>` HTML tag. Synonymous to *Form Element*.
......
...@@ -750,7 +750,7 @@ defining the `escape` modifier `m`. ...@@ -750,7 +750,7 @@ defining the `escape` modifier `m`.
**QFQ notice**: **QFQ notice**:
* Variables passed by the client (=Browser) are untrusted and use the default sanatize class 'digit' (if nothing else is * Variables passed by the client (=Browser) are untrusted and use the default sanitize class 'digit' (if nothing else is
specified). If alpha characters are submitted, the content violates `digit` and becomes therefore empty - there is no specified). If alpha characters are submitted, the content violates `digit` and becomes therefore empty - there is no
error message. Best is to always use SIP or digits. error message. Best is to always use SIP or digits.
...@@ -903,7 +903,7 @@ Predefined variable names ...@@ -903,7 +903,7 @@ Predefined variable names
Store: *FORM* - F Store: *FORM* - F
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
* Sanatized: *yes* * Sanitized: *yes*
* Represents the values in the form, typically before saving them. * Represents the values in the form, typically before saving them.
* Used for: * Used for:
...@@ -922,7 +922,7 @@ Store: *FORM* - F ...@@ -922,7 +922,7 @@ Store: *FORM* - F
Store: *SIP* - S Store: *SIP* - S
^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^
* Sanatized: *no* * Sanitized: *no*
* Filled automatically by creating links. E.g.: * Filled automatically by creating links. E.g.:
* in `Report` by using `_page?` or `_link` (with active 's') * in `Report` by using `_page?` or `_link` (with active 's')
...@@ -949,7 +949,7 @@ Store: *SIP* - S ...@@ -949,7 +949,7 @@ Store: *SIP* - S
Store: *RECORD* - R Store: *RECORD* - R
^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
* Sanatized: *no* * Sanitized: *no*
* Current record loaded in Form. * Current record loaded in Form.
* If r=0, all values are empty. * If r=0, all values are empty.
...@@ -964,7 +964,7 @@ Store: *RECORD* - R ...@@ -964,7 +964,7 @@ Store: *RECORD* - R
Store: *BEFORE* - B Store: *BEFORE* - B
^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
* Sanatized: *no* * Sanitized: *no*
* Current record loaded in Form without any modification. * Current record loaded in Form without any modification.
* If r=0, all values are empty. * If r=0, all values are empty.
...@@ -981,7 +981,7 @@ This store is handy to compare new and old values of a form. ...@@ -981,7 +981,7 @@ This store is handy to compare new and old values of a form.
Store: *CLIENT* - C Store: *CLIENT* - C
^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
* Sanatized: *yes* * Sanitized: *yes*
+-------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------+
| Name | Explanation | | Name | Explanation |
...@@ -1012,7 +1012,7 @@ Store: *CLIENT* - C ...@@ -1012,7 +1012,7 @@ Store: *CLIENT* - C
Store: *TYPO3* (Bodytext) - T Store: *TYPO3* (Bodytext) - T
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
* Sanatized: *no* * Sanitized: *no*
+-------------------------+-------------------------------------------------------------------+----------+ +-------------------------+-------------------------------------------------------------------+----------+
| Name | Explanation | Note | | Name | Explanation | Note |
...@@ -1046,7 +1046,7 @@ Store: *TYPO3* (Bodytext) - T ...@@ -1046,7 +1046,7 @@ Store: *TYPO3* (Bodytext) - T
Store: *VARS* - V Store: *VARS* - V
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
* Sanatized: *no* * Sanitized: *no*
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------+ +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------+
| Name | Explanation | | Name | Explanation |
...@@ -1065,7 +1065,7 @@ Store: *VARS* - V ...@@ -1065,7 +1065,7 @@ Store: *VARS* - V
Store: *LDAP* - L Store: *LDAP* - L
^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
* Sanatized: *yes* * Sanitized: *yes*
* See also :ref:`LDAP`: * See also :ref:`LDAP`:
+-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------+ +-------------------------+--------------------------------------------------------------------------------------------------------------------------------------------+
...@@ -1081,7 +1081,7 @@ Store: *LDAP* - L ...@@ -1081,7 +1081,7 @@ Store: *LDAP* - L
Store: *SYSTEM* - Y Store: *SYSTEM* - Y
^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^
* Sanatized: *no* * Sanitized: *no*
+-------------------------+--------------------------------------------------------------------------+ +-------------------------+--------------------------------------------------------------------------+
| Name | Explanation | | Name | Explanation |
...@@ -1329,7 +1329,7 @@ accessing STORE_LDAP easily, the keys are implemented case insensitive for this ...@@ -1329,7 +1329,7 @@ accessing STORE_LDAP easily, the keys are implemented case insensitive for this
The FLS happens *before* the main *FormElement* processing starts. Therefore the fetched LDAP data (specified by *ldapAttributes*), The FLS happens *before* the main *FormElement* processing starts. Therefore the fetched LDAP data (specified by *ldapAttributes*),
are available via `{{<attributename>:L:allbut:s}}` during the regular *FormElement* processing. Take care to specify are available via `{{<attributename>:L:allbut:s}}` during the regular *FormElement* processing. Take care to specify
a sanatize class and optional escaping on further processing of those data. a sanitize class and optional escaping on further processing of those data.
Important: LDAP access might slow down the *Form* processing on load, update or save! The timeout (default: 3 seconds) have Important: LDAP access might slow down the *Form* processing on load, update or save! The timeout (default: 3 seconds) have
to be multiplied by the number of accesses. E.g. a broken LDAP connection and 3 *FormELements* with *FSL* to be multiplied by the number of accesses. E.g. a broken LDAP connection and 3 *FormELements* with *FSL*
...@@ -2141,7 +2141,7 @@ Note: If there are multiple pills defined on a form, only the first pill will be ...@@ -2141,7 +2141,7 @@ Note: If there are multiple pills defined on a form, only the first pill will be
extraButtonLock extraButtonLock
;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;
* The user has to click on the lock, before it's possible to change the value. This will protect data against unwanted modifcation. * The user has to click on the lock, before it's possible to change the value. This will protect data against unwanted modification.
* After Form load, the value is shown, but not editable. * After Form load, the value is shown, but not editable.
* Shows a 'lock' on the right side of an input element of type `text`, `date`, `time` or `datetime`. * Shows a 'lock' on the right side of an input element of type `text`, `date`, `time` or `datetime`.
* This option is not available for FormElements with `mode=readonly`. * This option is not available for FormElements with `mode=readonly`.
...@@ -2598,7 +2598,7 @@ and will be processed after saving the primary record and before any action Form ...@@ -2598,7 +2598,7 @@ and will be processed after saving the primary record and before any action Form
fileDestination={{SELECT 'fileadmin/user/pictures/', p.name, '-{{filename}}' FROM Person AS p WHERE p.id={{id:R0}} }} fileDestination={{SELECT 'fileadmin/user/pictures/', p.name, '-{{filename}}' FROM Person AS p WHERE p.id={{id:R0}} }}
* The original filename will be sanatized: only alnum characters are allowed. German 'umlaut' will be replaced by * The original filename will be sanitized: only alnum characters are allowed. German 'umlaut' will be replaced by
'ae', 'ue', 'oe'. All non valid characters will be replaced by '-'. 'ae', 'ue', 'oe'. All non valid characters will be replaced by '-'.
* If a file already exist under `fileDestination`, an error message is shown and 'save' is aborted. The user has no * If a file already exist under `fileDestination`, an error message is shown and 'save' is aborted. The user has no
...@@ -2935,7 +2935,7 @@ To make a form dynamic: ...@@ -2935,7 +2935,7 @@ To make a form dynamic:
See #3426 / Dynamic Update: Inputs loose the new content and shows the old value: See #3426 / Dynamic Update: Inputs loose the new content and shows the old value:
* On **all** `dynamic update` *FormElements* an explicit definition of `value`, including a sanatize class, is necessary * On **all** `dynamic update` *FormElements* an explicit definition of `value`, including a sanitize class, is necessary
(except the field is numeric). **A missing definition let's the content overwrite all the time with the old value**. (except the field is numeric). **A missing definition let's the content overwrite all the time with the old value**.
A typical definition for `value` looks like:: A typical definition for `value` looks like::
...@@ -2948,8 +2948,8 @@ See #3426 / Dynamic Update: Inputs loose the new content and shows the old value ...@@ -2948,8 +2948,8 @@ See #3426 / Dynamic Update: Inputs loose the new content and shows the old value
[receiving *FormElement*].parameter: itemList={{ SELECT IF({{carPriceRange:FE:alnumx}}='expensive','Ferrari,Tesla,Jaguar','General Motors,Honda,Seat,Fiat') }} [receiving *FormElement*].parameter: itemList={{ SELECT IF({{carPriceRange:FE:alnumx}}='expensive','Ferrari,Tesla,Jaguar','General Motors,Honda,Seat,Fiat') }}
Remember to specify a 'sanatize' class - a missing sanatize class means 'digit', every content, which is not numeric, Remember to specify a 'sanitize' class - a missing sanitize class means 'digit', every content, which is not numeric,
violates the sanatize class and becomes therefore an empty string! violates the sanitize class and becomes therefore an empty string!
Examples Examples
...@@ -3680,8 +3680,8 @@ FAQ ...@@ -3680,8 +3680,8 @@ FAQ
* Q: A variable {{<var>}} is shown as empty string, but there should be a value. * Q: A variable {{<var>}} is shown as empty string, but there should be a value.
* A: The sanatize rule is violeted and therefore the value has been removed. Set {{<var>:<store>:all}} as a test. * A: The sanitize rule is violeted and therefore the value has been removed. Set {{<var>:<store>:all}} as a test.
Only STORE_CLIENT and STORE_FORM will be sanatized. Only STORE_CLIENT and STORE_FORM will be sanitized.
Report Report
...@@ -5304,5 +5304,5 @@ QFQ specific ...@@ -5304,5 +5304,5 @@ QFQ specific
Variable empty: {{...}} Variable empty: {{...}}
^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^
Specify the required sanatize class. Remember: for STORE_FORM and STORE_CLIENT the default is `digit`. This means if Specify the required sanitize class. Remember: for STORE_FORM and STORE_CLIENT the default is `digit`. This means if
the variable content is a string, this violates the sanatize class and the replaced content will be an empty string! the variable content is a string, this violates the sanitize class and the replaced content will be an empty string!
\ No newline at end of file \ No newline at end of file
...@@ -66,8 +66,8 @@ const SANITIZE_ALLOW_ALLBUT = "allbut"; ...@@ -66,8 +66,8 @@ const SANITIZE_ALLOW_ALLBUT = "allbut";
const SANITIZE_ALLOW_ALL = "all"; const SANITIZE_ALLOW_ALL = "all";
const SANITIZE_DEFAULT = SANITIZE_ALLOW_DIGIT; const SANITIZE_DEFAULT = SANITIZE_ALLOW_DIGIT;
const SANATIZE_EXCEPTION = 'exception'; const SANITIZE_EXCEPTION = 'exception';
const SANATIZE_EMPTY_STRING = 'empty string'; const SANITIZE_EMPTY_STRING = 'empty string';
// Index wrap setup table // Index wrap setup table
const WRAP_SETUP_TITLE = 'title'; const WRAP_SETUP_TITLE = 'title';
......
...@@ -32,14 +32,14 @@ class Sanitize { ...@@ -32,14 +32,14 @@ class Sanitize {
* If check fails, depending on $mode, throws an UserException or return an empty string. * If check fails, depending on $mode, throws an UserException or return an empty string.
* *
* @param string $value value to check * @param string $value value to check
* @param string $sanatizeClass SANITIZE_ALLOW_* * @param string $sanitizeClass SANITIZE_ALLOW_*
* @param string $patternOrRange Pattern as regexp or MIN|MAX values * @param string $patternOrRange Pattern as regexp or MIN|MAX values
* @param string $mode SANATIZE_EXCEPTION | SANATIZE_EMPTY_STRING * @param string $mode SANITIZE_EXCEPTION | SANITIZE_EMPTY_STRING
* @return string * @return string
* @throws UserFormException * @throws UserFormException
* @throws \qfq\CodeException * @throws \qfq\CodeException
*/ */
public static function sanitize($value, $sanatizeClass = SANITIZE_DEFAULT, $patternOrRange = '', $mode = SANATIZE_EMPTY_STRING) { public static function sanitize($value, $sanitizeClass = SANITIZE_DEFAULT, $patternOrRange = '', $mode = SANITIZE_EMPTY_STRING) {
$pattern = ''; $pattern = '';
$minMax = array(); $minMax = array();
$valueCompare = ''; $valueCompare = '';
...@@ -47,7 +47,7 @@ class Sanitize { ...@@ -47,7 +47,7 @@ class Sanitize {
$errorText = ''; $errorText = '';
// Prepare MIN|MAX // Prepare MIN|MAX
switch ($sanatizeClass) { switch ($sanitizeClass) {
case SANITIZE_ALLOW_MIN_MAX: case SANITIZE_ALLOW_MIN_MAX:
$minMax = explode('|', $patternOrRange); $minMax = explode('|', $patternOrRange);
$valueCompare = $value; $valueCompare = $value;
...@@ -79,7 +79,7 @@ class Sanitize { ...@@ -79,7 +79,7 @@ class Sanitize {
} }
// Prepare Check // Prepare Check
switch ($sanatizeClass) { switch ($sanitizeClass) {
case SANITIZE_ALLOW_MIN_MAX: case SANITIZE_ALLOW_MIN_MAX:
case SANITIZE_ALLOW_MIN_MAX_DATE: case SANITIZE_ALLOW_MIN_MAX_DATE:
...@@ -104,14 +104,14 @@ class Sanitize { ...@@ -104,14 +104,14 @@ class Sanitize {
case SANITIZE_ALLOW_ALNUMX: case SANITIZE_ALLOW_ALNUMX:
case SANITIZE_ALLOW_ALLBUT: case SANITIZE_ALLOW_ALLBUT:
$arr = self::inputCheckPatternArray(); $arr = self::inputCheckPatternArray();
$pattern = $arr[$sanatizeClass]; $pattern = $arr[$sanitizeClass];
break; break;
case SANITIZE_ALLOW_ALL: // no checktype specified. case SANITIZE_ALLOW_ALL: // no checktype specified.
return $value; return $value;
default: default:
throw new CodeException("Unknown checkType: " . $sanatizeClass, ERROR_UNKNOWN_CHECKTYPE); throw new CodeException("Unknown checkType: " . $sanitizeClass, ERROR_UNKNOWN_CHECKTYPE);
} }
// No error until here: do a final check // No error until here: do a final check
...@@ -122,9 +122,9 @@ class Sanitize { ...@@ -122,9 +122,9 @@ class Sanitize {
$errorCode = ERROR_PATTERN_VIOLATION; $errorCode = ERROR_PATTERN_VIOLATION;
} }
if ($mode === SANATIZE_EXCEPTION) { if ($mode === SANITIZE_EXCEPTION) {
if ($errorText === '') if ($errorText === '')
$errorText = "Value '$value' violates checkrule " . $sanatizeClass . " with pattern '$pattern'."; $errorText = "Value '$value' violates checkrule " . $sanitizeClass . " with pattern '$pattern'.";
throw new UserFormException($errorText, $errorCode); throw new UserFormException($errorText, $errorCode);
} }
......
...@@ -223,7 +223,7 @@ class FillStoreForm { ...@@ -223,7 +223,7 @@ class FillStoreForm {
$val = $clientValues[$clientFieldName]; $val = $clientValues[$clientFieldName];
// Check only if their is something // Check only if their is something
if ($val !== '') { if ($val !== '') {
$val = Sanitize::sanitize($val, $formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], SANATIZE_EXCEPTION); $val = Sanitize::sanitize($val, $formElement[FE_CHECK_TYPE], $formElement[FE_CHECK_PATTERN], SANITIZE_EXCEPTION);
if ($formElement[FE_ENCODE] === FE_ENCODE_SPECIALCHAR) { if ($formElement[FE_ENCODE] === FE_ENCODE_SPECIALCHAR) {
$val = htmlspecialchars($val, ENT_QUOTES); $val = htmlspecialchars($val, ENT_QUOTES);
} }
......
...@@ -459,7 +459,7 @@ class Store { ...@@ -459,7 +459,7 @@ class Store {
// We do not have any pattern or min|max values at this point. For those who be affected, they already checked earlier. So set 'no check' // We do not have any pattern or min|max values at this point. For those who be affected, they already checked earlier. So set 'no check'
$sanitizeClass = SANITIZE_ALLOW_ALL; $sanitizeClass = SANITIZE_ALLOW_ALL;
} }
return \qfq\Sanitize::sanitize($rawVal, $sanitizeClass, '', SANATIZE_EMPTY_STRING); return \qfq\Sanitize::sanitize($rawVal, $sanitizeClass, '', SANITIZE_EMPTY_STRING);
} else { } else {
if ($store == STORE_SIP && (substr($key, 0, $len) == SIP_PREFIX_BASE64)) { if ($store == STORE_SIP && (substr($key, 0, $len) == SIP_PREFIX_BASE64)) {
$rawVal = base64_decode($rawVal); $rawVal = base64_decode($rawVal);
......
...@@ -263,7 +263,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase { ...@@ -263,7 +263,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
* @expectedException \qfq\UserFormException * @expectedException \qfq\UserFormException
*/ */
public function testSanitizeExceptionCheckFailed() { public function testSanitizeExceptionCheckFailed() {
Sanitize::sanitize('string', SANITIZE_ALLOW_DIGIT, '', SANATIZE_EXCEPTION); Sanitize::sanitize('string', SANITIZE_ALLOW_DIGIT, '', SANITIZE_EXCEPTION);
} }
/** /**
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment