Added data conversion to avoid XSS

2017-09-09 13:27:36 +07:00 · 2017-09-09 13:27:36 +07:00 · 6e470f4e40
commit 6e470f4e40
parent 645d98843b
3 changed files with 22 additions and 5 deletions
--- a/App/Controllers/Home.php
+++ b/App/Controllers/Home.php
@ -69,7 +69,7 @@ class Home
        foreach ($args as $value) {
            if ($value == '') {
                Session::flash('info', 'Semua data harus diisi.');
-                Redirect::to('/');
+                Redirect::to('./register');
                die();
            }
        }
@ -88,7 +88,12 @@ class Home

        $data = $this->model->showAll();
        foreach ($data as $users) {
-            if ($args['username'] == $users['username']) {
+            if (is_array($users)) {
+                $known_uname = $users['username'];
+            } else {
+                $known_uname = $data['username'];
+            }
+            if ($args['username'] == $known_uname) {
                Session::flash('info', 'Username telah digunakan. Silahkan gunakan username lain.');
                Redirect::to('./register');
                die();
@ -96,7 +101,7 @@ class Home
        }

        $this->model->entry($args);
-
+        Session::flash('info', 'Registrasi berhasil');
        Redirect::to('/');
        die();
    }
@ -142,6 +147,9 @@ class Home

    public function delete()
    {
+        if (Session::exists('userid') == false) {
+            throw new \Exception("Bad request but thrown as 404", 404);
+        }
        $userid = Session::get('userid');

        $user = $this->model->showAll([
--- a/App/Controllers/Posts.php
+++ b/App/Controllers/Posts.php
@ -94,6 +94,11 @@ class Posts
            $posts[] = $post;
        }

+        // Replace \n or \r with <br />
+        for ($i=0; $i < count($posts); $i++) {
+            $posts[$i]['content'] = preg_replace('/\r\n/', '<br />', $posts[$i]['content']);
+        }
+
        View::render($url, [
            'posts' => $posts,
            'status' => $status
@ -138,6 +143,8 @@ class Posts
                $creator = $post['creator'];
                $editor = $post['editor'];

+                $post['content'] = htmlspecialchars_decode($post['content']);
+
                $table = 'users';

                $creator = $this->model->showAll([
@ -204,6 +211,8 @@ class Posts
            }
        }

+        $args['content'] = htmlspecialchars($args['content']);
+
        if (isset($table)) {
            if ($this->model->entry($args, $table)) {
                Session::flash('info', 'Data berhasil diunggah.');