gregorio/lepisi-pengumuman
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Added data conversion to avoid XSS

Browse Source
This commit is contained in:
Gregorio Chiko Putra 2017-09-09 13:27:36 +07:00
parent 645d98843b
commit 6e470f4e40
3 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
App/Controllers/Home.php
View File

@ -69,7 +69,7 @@ class Home
foreach ($args as $value) { foreach ($args as $value) {
if ($value == '') { if ($value == '') {
Session::flash('info', 'Semua data harus diisi.'); Session::flash('info', 'Semua data harus diisi.');
Redirect::to('/'); Redirect::to('./register');
die(); die();
} }
} }
@ -88,7 +88,12 @@ class Home
$data = $this->model->showAll(); $data = $this->model->showAll();
foreach ($data as $users) { foreach ($data as $users) {
if ($args['username'] == $users['username']) { if (is_array($users)) {
$known_uname = $users['username'];
} else {
$known_uname = $data['username'];
}
if ($args['username'] == $known_uname) {
Session::flash('info', 'Username telah digunakan. Silahkan gunakan username lain.'); Session::flash('info', 'Username telah digunakan. Silahkan gunakan username lain.');
Redirect::to('./register'); Redirect::to('./register');
die(); die();
@ -96,7 +101,7 @@ class Home
} }
$this->model->entry($args); $this->model->entry($args);
Session::flash('info', 'Registrasi berhasil');
Redirect::to('/'); Redirect::to('/');
die(); die();
} }
@ -142,6 +147,9 @@ class Home
public function delete() public function delete()
{ {
if (Session::exists('userid') == false) {
throw new \Exception("Bad request but thrown as 404", 404);
}
$userid = Session::get('userid'); $userid = Session::get('userid');
$user = $this->model->showAll([ $user = $this->model->showAll([

9
App/Controllers/Posts.php
View File

@ -94,6 +94,11 @@ class Posts
$posts[] = $post; $posts[] = $post;
} }
// Replace \n or \r with <br />
for ($i=0; $i < count($posts); $i++) {
$posts[$i]['content'] = preg_replace('/\r\n/', '<br />', $posts[$i]['content']);
}
View::render($url, [ View::render($url, [
'posts' => $posts, 'posts' => $posts,
'status' => $status 'status' => $status
@ -138,6 +143,8 @@ class Posts
$creator = $post['creator']; $creator = $post['creator'];
$editor = $post['editor']; $editor = $post['editor'];
$post['content'] = htmlspecialchars_decode($post['content']);
$table = 'users'; $table = 'users';
$creator = $this->model->showAll([ $creator = $this->model->showAll([
@ -204,6 +211,8 @@ class Posts
} }
} }
$args['content'] = htmlspecialchars($args['content']);
if (isset($table)) { if (isset($table)) {
if ($this->model->entry($args, $table)) { if ($this->model->entry($args, $table)) {
Session::flash('info', 'Data berhasil diunggah.'); Session::flash('info', 'Data berhasil diunggah.');