[pLog-svn] r3259 - in plog/trunk/class: action data/validator
jondaley at devel.lifetype.net
jondaley at devel.lifetype.net
Tue Apr 18 14:41:20 GMT 2006
Author: jondaley
Date: 2006-04-18 14:41:19 +0000 (Tue, 18 Apr 2006)
New Revision: 3259
Added:
plog/trunk/class/data/validator/templatenamevalidator.class.php
Modified:
plog/trunk/class/action/templateaction.class.php
Log:
fixed xss in template name. Presumably there are other places to validate as well
Modified: plog/trunk/class/action/templateaction.class.php
===================================================================
--- plog/trunk/class/action/templateaction.class.php 2006-04-18 14:16:31 UTC (rev 3258)
+++ plog/trunk/class/action/templateaction.class.php 2006-04-18 14:41:19 UTC (rev 3259)
@@ -2,7 +2,8 @@
include_once( PLOG_CLASS_PATH."class/action/blogaction.class.php" );
include_once( PLOG_CLASS_PATH."class/view/templateview.class.php" );
- include_once( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
+ include_once( PLOG_CLASS_PATH."class/data/validator/templatenamevalidator.class.php" );
+ include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
/**
* \ingroup Action
@@ -38,8 +39,12 @@
function TemplateAction( $actionInfo, $request )
{
$this->BlogAction( $actionInfo, $request );
-
- $this->registerFieldValidator( "show", new StringValidator());
+
+ $this->registerFieldValidator( "show", new TemplateNameValidator());
+
+ $view = new ErrorView( $this->_blogInfo );
+ $view->setErrorMessage( "Bad characters in the template name." );
+ $this->setValidationErrorView( $view );
}
/**
@@ -52,10 +57,10 @@
*/
function perform()
{
- // get the value of the template we're trying to render
+ // get the value of the template we're trying to render
$templateFile = $this->_request->getValue( "show" );
- // then, check if it has any extraneous character
- if( strstr( $templateFile, ".." )) {
+ // then, check if it has any extraneous character
+ if( !$templateFile || strstr( $templateFile, ".." )) {
include_once( PLOG_CLASS_PATH."class/view/errorview.class.php" );
$view = new ErrorView( $this->_blogInfo, "error_parameter_missing" );
@@ -67,7 +72,6 @@
return false;
}
-
// get the name of the template file and create the view
$this->_view = new TemplateView( $this->_blogInfo,
$this->_request->getValue( "show" ));
Added: plog/trunk/class/data/validator/templatenamevalidator.class.php
===================================================================
--- plog/trunk/class/data/validator/templatenamevalidator.class.php 2006-04-18 14:16:31 UTC (rev 3258)
+++ plog/trunk/class/data/validator/templatenamevalidator.class.php 2006-04-18 14:41:19 UTC (rev 3259)
@@ -0,0 +1,25 @@
+<?php
+
+ include_once( PLOG_CLASS_PATH."class/data/validator/validator.class.php" );
+ include_once( PLOG_CLASS_PATH."class/data/validator/rules/regexprule.class.php" );
+ include_once( PLOG_CLASS_PATH."class/data/validator/rules/nonemptyrule.class.php" );
+
+ define(VALID_REGEXP_CHARS, "^([a-z0-9._-]+)$");
+
+ /**
+ * \ingroup Validator
+ *
+ * Checks whether the string is a valid template name
+ *
+ * @see NonEmptyRule
+ */
+ class TemplateNameValidator extends Validator
+ {
+ function TemplateNameValidator()
+ {
+ $this->Validator();
+ $this->addRule( new NonEmptyRule());
+ $this->addRule( new RegExpRule(VALID_REGEXP_CHARS, false ));
+ }
+ }
+?>
More information about the pLog-svn
mailing list