summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--includes/model/Message_model.php37
-rw-r--r--includes/pages/user_messages.php3
-rw-r--r--includes/sys_page.php2
3 files changed, 16 insertions, 26 deletions
diff --git a/includes/model/Message_model.php b/includes/model/Message_model.php
index a438a8c5..640cb085 100644
--- a/includes/model/Message_model.php
+++ b/includes/model/Message_model.php
@@ -1,6 +1,7 @@
<?php
use Engelsystem\Database\DB;
+use Engelsystem\Models\User\User;
/**
* Returns Message id array
@@ -26,7 +27,6 @@ function Message($message_id)
}
/**
- * TODO: use validation functions, return new message id
* send message
*
* @param int $receiver_user_id User ID of Receiver
@@ -36,32 +36,21 @@ function Message($message_id)
function Message_send($receiver_user_id, $text)
{
$user = auth()->user();
+ $receiver = User::find($receiver_user_id);
- $text = preg_replace("/([^\p{L}\p{P}\p{Z}\p{N}\n]{1,})/ui", '', strip_tags($text));
- $receiver_user_id = preg_replace('/([^\d]{1,})/ui', '', strip_tags($receiver_user_id));
+ if (empty($text) || !$receiver || $receiver->id == $user->id) {
+ return false;
+ }
- if (
- ($text != '' && is_numeric($receiver_user_id))
- && count(DB::select('
- SELECT `id`
- FROM `users`
- WHERE `id` = ?
- AND NOT `id` = ?
- LIMIT 1
- ', [$receiver_user_id, $user->id])) > 0
- ) {
- return DB::insert('
+ return DB::insert('
INSERT INTO `Messages` (`Datum`, `SUID`, `RUID`, `Text`)
VALUES(?, ?, ?, ?)
',
- [
- time(),
- $user->id,
- $receiver_user_id,
- $text
- ]
- );
- }
-
- return false;
+ [
+ time(),
+ $user->id,
+ $receiver->id,
+ $text
+ ]
+ );
}
diff --git a/includes/pages/user_messages.php b/includes/pages/user_messages.php
index 0ac554b8..ce496132 100644
--- a/includes/pages/user_messages.php
+++ b/includes/pages/user_messages.php
@@ -88,7 +88,7 @@ function user_messages()
'timestamp' => date('Y-m-d H:i', $message['Datum']),
'from' => User_Nick_render($sender_user_source),
'to' => User_Nick_render($receiver_user_source),
- 'text' => str_replace("\n", '<br />', $message['Text'])
+ 'text' => nl2br(htmlspecialchars($message['Text']))
];
if ($message['RUID'] == $user->id) {
@@ -167,7 +167,6 @@ function user_messages()
break;
case 'send':
- // @TODO: Validation?
if (Message_send($request->input('to'), $request->input('text'))) {
redirect(page_link_to('user_messages'));
} else {
diff --git a/includes/sys_page.php b/includes/sys_page.php
index a560c3ba..e94a92cc 100644
--- a/includes/sys_page.php
+++ b/includes/sys_page.php
@@ -197,6 +197,7 @@ function strip_request_item_nl($name, $default_value = null)
{
$request = request();
if ($request->has($name)) {
+ // Only allow letters, symbols, punctuation, separators, numbers and newlines without html tags
return preg_replace(
"/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+\n]{1,})/ui",
'',
@@ -214,6 +215,7 @@ function strip_request_item_nl($name, $default_value = null)
*/
function strip_item($item)
{
+ // Only allow letters, symbols, punctuation, separators and numbers without html tags
return preg_replace("/([^\p{L}\p{S}\p{P}\p{Z}\p{N}+]{1,})/ui", '', strip_tags($item));
}