[pLog-svn] r5677 - in plog/branches/lifetype-1.2/class: action/admin view/admin

Wed Jul 18 17:27:54 EDT 2007

Author: oscar
Date: 2007-07-18 17:27:54 -0400 (Wed, 18 Jul 2007)
New Revision: 5677

Modified:
   plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php
   plog/branches/lifetype-1.2/class/view/admin/adminpostslistview.class.php
Log:
Fixed most of the injection issues in the "edit posts" page


Modified: plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php
===================================================================

--- plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php	2007-07-18 21:01:28 UTC (rev 5676)
+++ plog/branches/lifetype-1.2/class/action/admin/admineditpostsaction.class.php	2007-07-18 21:27:54 UTC (rev 5677)
@@ -2,6 +2,7 @@
 
 	lt_include( PLOG_CLASS_PATH."class/action/admin/adminaction.class.php" );
     lt_include( PLOG_CLASS_PATH."class/view/admin/adminpostslistview.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
 
     /**
      * \ingroup Action
@@ -19,9 +20,41 @@
         {
         	$this->AdminAction( $actionInfo, $request );
 
+			// field validation
+			$this->registerFieldValidator( "showCategory", new IntegerValidator( true ));
+			$this->registerFieldValidator( "showStatus", new IntegerValidator( true ));
+			$this->registerFieldValidator( "showUser", new IntegerValidator());
+			$this->registerFieldValidator( "showMonth", new IntegerValidator( true ));
+
 			$this->requirePermission( "view_posts" );
         }
 
+		/**
+		 * We're going to do some manual validation here because we want to capture the
+		 * validation problem but instead of showing an error, we're just going to fix
+		 * here (by resetting the value) and continue with the show as if nothing
+		 * had happened.
+		 */
+		function validate()
+		{
+			$intVal = new IntegerValidator( true );
+			$uIntVal = new IntegerValidator();
+			
+			if( !$intVal->validate( $this->_request->getValue( "showCategory" )))
+				$this->_request->setValue( "showCategory", -1 );
+				
+			if( !$intVal->validate( $this->_request->getValue( "showStatus" )))
+				$this->_request->setValue( "showStatus", -1 );
+				
+			if( !$uIntVal->validate( $this->_request->getValue( "showUser" )))
+				$this->_request->setValue( "showUser", 0 );
+				
+			if( !$intVal->validate( $this->_request->getValue( "showMonth" )))
+				$this->_request->setValue( "showMonth", -1 );
+				
+			return( true );
+		}
+
         /**
          * Carries out the specified action
          */

Modified: plog/branches/lifetype-1.2/class/view/admin/adminpostslistview.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/view/admin/adminpostslistview.class.php	2007-07-18 21:01:28 UTC (rev 5676)
+++ plog/branches/lifetype-1.2/class/view/admin/adminpostslistview.class.php	2007-07-18 21:27:54 UTC (rev 5677)
@@ -9,6 +9,7 @@
     lt_include( PLOG_CLASS_PATH.'class/data/timestamp.class.php' );
     lt_include( PLOG_CLASS_PATH."class/dao/users.class.php" );    
     lt_include( PLOG_CLASS_PATH."class/config/siteconfig.class.php" );
+	lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
 	
     /**
      * \ingroup View
@@ -198,7 +199,7 @@
             $this->setValue( "months", $this->_getMonths());			
 			$this->setValue( "poststatus", $postStatusList );
 			$this->setValue( "poststatusWithoutAll", $postStatusListWithoutAll );
-			$this->setValue( "searchTerms", $this->_searchTerms );
+			$this->setValue( "searchTerms", TextFilter::filterAllHTML( $this->_searchTerms ));
 			$this->setValue( "pager", $pager );
 			
 			parent::render();

