[pLog-svn] r6618 - plog/branches/lifetype-1.2/class/action/admin

Sat Jun 21 12:18:22 EDT 2008

Author: jondaley
Date: 2008-06-21 12:18:21 -0400 (Sat, 21 Jun 2008)
New Revision: 6618

Modified:
   plog/branches/lifetype-1.2/class/action/admin/adminpostmanagementcommonaction.class.php
Log:
more validation/xss issues.  CustomFields are hard to validate, and I don't know how hard it will be to fix, we might need to change how custom fields work, ie. they might need a validator choice when creating custom fields - otherwise, we might not be able to validate them properly.  Removing HTML would work for any place I have ever used custom fields, but I could imagine that someone might want to have HTML in a custom field.

Modified: plog/branches/lifetype-1.2/class/action/admin/adminpostmanagementcommonaction.class.php
===================================================================

--- plog/branches/lifetype-1.2/class/action/admin/adminpostmanagementcommonaction.class.php	2008-06-21 16:14:18 UTC (rev 6617)
+++ plog/branches/lifetype-1.2/class/action/admin/adminpostmanagementcommonaction.class.php	2008-06-21 16:18:21 UTC (rev 6618)
@@ -5,6 +5,7 @@
     lt_include( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
     lt_include( PLOG_CLASS_PATH."class/data/validator/arrayvalidator.class.php" );
     lt_include( PLOG_CLASS_PATH."class/data/validator/integervalidator.class.php" );
+    lt_include( PLOG_CLASS_PATH."class/data/validator/httpurlvalidator.class.php" );
     lt_include( PLOG_CLASS_PATH."class/data/validator/datetimevalidator.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/data/textfilter.class.php" );
 	lt_include( PLOG_CLASS_PATH."class/data/timestamp.class.php" );
@@ -60,15 +61,16 @@
         	$this->registerFieldValidator( "postDateTime", new DateTimeValidator( '%j/%m/%Y %G:%i' ) );
         	
         	// these fields do not need to be validated but should be there when we show the view once again
-        	$this->registerField( "postSlug" );
-        	$this->registerField( "postStatus" );
-        	$this->registerField( "sendNotification" );
-        	$this->registerField( "sendTrackbacks" );
-        	$this->registerField( "sendPings" );
-        	$this->registerField( "commentsEnabled" );
-        	$this->registerField( "customField" );
-        	$this->registerField( "trackbackUrls" );
-            $this->registerField( "postUser" );   	
+        	$this->registerFieldValidator( "postSlug", new StringValidator(), true );
+        	$this->registerFieldValidator( "postStatus", new IntegerValidator(), true );
+        	$this->registerFieldValidator( "sendNotification", new IntegerValidator(), true );
+        	$this->registerFieldValidator( "sendTrackbacks", new IntegerValidator(), true );
+        	$this->registerFieldValidator( "sendPings", new IntegerValidator(), true );
+        	$this->registerFieldValidator( "commentsEnabled", new IntegerValidator(), true );
+                // TODO - use validate() and validate by fieldtype?
+        	$this->registerFieldValidator( "customField", new ArrayValidator(), true );
+        	$this->registerFieldValidator( "trackbackUrls", new ArrayValidator( new HttpUrlValidator() ), true );
+            $this->registerFieldValidator( "postUser", new IntegerValidator(), true );   	
 		}
 		
 		function _fetchPostDateInformation()
@@ -157,17 +159,17 @@
             $this->_postCategories = $this->_request->getValue( "postCategories" );
 			$this->_postSlug = Textfilter::filterAllHTML($this->_request->getValue( "postSlug" ));
             $this->_postStatus   = $this->_request->getValue( "postStatus" );
-            $this->_sendNotification = $this->_request->getValue( "sendNotification" );
-            $this->_sendTrackbacks = $this->_request->getValue( "sendTrackbacks" );
-			$this->_sendPings = $this->_request->getValue( "sendPings" );			
+            $this->_sendNotification = $this->_request->getValue( "sendNotification" ) ? 1 : 0;
+            $this->_sendTrackbacks = $this->_request->getValue( "sendTrackbacks" ) ? 1 : 0;
+			$this->_sendPings = $this->_request->getValue( "sendPings" ) ? 1 : 0;			
             $this->_postId       = $this->_request->getValue( "postId" );
-            $this->_commentsEnabled = $this->_request->getValue( "commentsEnabled" );
+            $this->_commentsEnabled = $this->_request->getValue( "commentsEnabled" ) ? 1 : 0;
             $this->_globalArticleCategoryId = $this->_request->getValue( "globalArticleCategoryId" );
             $this->_trackbackUrls = $this->_request->getValue( "trackbackUrls" );
 				
 			// fetch the custom fields
 			$this->_customFields = $this->_request->getValue( "customField" );	
-			
+
             // fetch the timestamp that the post will have
 			$this->_fetchPostDateInformation();
 
@@ -191,7 +193,8 @@
 			$fields = Array();
 			if( is_array($this->_customFields)) {
 				foreach( $this->_customFields as $fieldId => $fieldValue ) {
-					// 3 of those parameters are not really need when creating a new object... it's enough that
+					// 3 of those parameters are not really need when creating
+                    // a new object... it's enough that
 					// we know the field definition id.
 					$row = Array( "field_id" => $fieldId,
 					              "field_value" => $fieldValue,

