diff options
-rw-r--r-- | includes/model/Message_model.php | 37 | ||||
-rw-r--r-- | includes/pages/user_messages.php | 3 | ||||
-rw-r--r-- | includes/sys_page.php | 2 |
3 files changed, 16 insertions, 26 deletions
diff --git a/includes/model/Message_model.php b/includes/model/Message_model.php index a438a8c5..640cb085 100644 --- a/includes/model/Message_model.php +++ b/includes/model/Message_model.php @@ -1,6 +1,7 @@ <?php use Engelsystem\Database\DB; +use Engelsystem\Models\User\User; /** * Returns Message id array @@ -26,7 +27,6 @@ function Message($message_id) } /** - * TODO: use validation functions, return new message id * send message * * @param int $receiver_user_id User ID of Receiver @@ -36,32 +36,21 @@ function Message($message_id) function Message_send($receiver_user_id, $text) { $user = auth()->user(); + $receiver = User::find($receiver_user_id); - $text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text)); - $receiver_user_id = preg_replace('/([^\d]{1,})/ui', '', strip_tags($receiver_user_id)); + if (empty($text) || !$receiver || $receiver->id == $user->id) { + return false; + } - if ( - ($text != '' && is_numeric($receiver_user_id)) - && count(DB::select(' - SELECT `id` - FROM `users` - WHERE `id` = ? - AND NOT `id` = ? - LIMIT 1 - ', [$receiver_user_id, $user->id])) > 0 - ) { - return DB::insert(' + return DB::insert(' INSERT INTO `Messages` (`Datum`, `SUID`, `RUID`, `Text`) VALUES(?, ?, ?, ?) ', - [ - time(), - $user->id, - $receiver_user_id, - $text - ] - ); - } - - return false; + [ + time(), + $user->id, + $receiver->id, + $text + ] + ); } diff --git a/includes/pages/user_messages.php b/includes/pages/user_messages.php index 0ac554b8..ce496132 100644 --- a/includes/pages/user_messages.php +++ b/includes/pages/user_messages.php @@ -88,7 +88,7 @@ function user_messages() 'timestamp' => date('Y-m-d H:i', $message['Datum']), 'from' => User_Nick_render($sender_user_source), 'to' => User_Nick_render($receiver_user_source), - 'text' => str_replace("\n", '<br />', $message['Text']) + 'text' => nl2br(htmlspecialchars($message['Text'])) ]; if ($message['RUID'] == $user->id) { @@ -167,7 +167,6 @@ function user_messages() break; case 'send': - // @TODO: Validation? if (Message_send($request->input('to'), $request->input('text'))) { redirect(page_link_to('user_messages')); } else { diff --git a/includes/sys_page.php b/includes/sys_page.php index a560c3ba..e94a92cc 100644 --- a/includes/sys_page.php +++ b/includes/sys_page.php @@ -197,6 +197,7 @@ function strip_request_item_nl($name, $default_value = null) { $request = request(); if ($request->has($name)) { + // Only allow letters, symbols, punctuation, separators, numbers and newlines without html tags return preg_replace( "/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+\n]{1,})/ui", '', @@ -214,6 +215,7 @@ function strip_request_item_nl($name, $default_value = null) */ function strip_item($item) { + // Only allow letters, symbols, punctuation, separators and numbers without html tags return preg_replace("/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+]{1,})/ui", '', strip_tags($item)); } |