Added data conversion to avoid XSS

2017-09-09 13:27:36 +07:00
parent 645d98843b
commit 6e470f4e40
3 changed files with 22 additions and 5 deletions
--- a/App/Controllers/Posts.php
+++ b/App/Controllers/Posts.php
@@ -94,6 +94,11 @@ class Posts
            $posts[] = $post;
        }

+        // Replace \n or \r with <br />
+        for ($i=0; $i < count($posts); $i++) {
+            $posts[$i]['content'] = preg_replace('/\r\n/', '<br />', $posts[$i]['content']);
+        }
+
        View::render($url, [
            'posts' => $posts,
            'status' => $status
@@ -138,6 +143,8 @@ class Posts
                $creator = $post['creator'];
                $editor = $post['editor'];

+                $post['content'] = htmlspecialchars_decode($post['content']);
+
                $table = 'users';

                $creator = $this->model->showAll([
@@ -204,6 +211,8 @@ class Posts
            }
        }

+        $args['content'] = htmlspecialchars($args['content']);
+
        if (isset($table)) {
            if ($this->model->entry($args, $table)) {
                Session::flash('info', 'Data berhasil diunggah.');