Commit a74a671e authored by Malcolm Blaney's avatar Malcolm Blaney

Improved sanitising user input. Improved html formatting. Purchase

module js now only sends back purchases from the browser that
haven't yet been saved to the server. Show grid area earlier in all
modules so that column widths are calculated properly. Added
new-login session variable so that local storage can be cleared
when a user first logs in.
parent c3676ed2
Pipeline #8790207 passed with stage
in 1 minute and 41 seconds
<?php
// Dobrado Content Management System
// Copyright (C) 2016 Malcolm Blaney
// Copyright (C) 2017 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -26,10 +26,10 @@ class Banking extends Base {
return ['error' => 'Permission denied editing bank details.'];
}
$mysqli = connect_db();
$name = $mysqli->escape_string($_POST['name']);
$number = $mysqli->escape_string($_POST['number']);
$bsb = $mysqli->escape_string($_POST['bsb']);
$credit = $mysqli->escape_string($_POST['credit']);
$name = $mysqli->escape_string(htmlspecialchars($_POST['name']));
$number = $mysqli->escape_string(htmlspecialchars($_POST['number']));
$bsb = $mysqli->escape_string(htmlspecialchars($_POST['bsb']));
$credit = (int)$_POST['credit'];
$query = 'UPDATE banking SET name = "'.$name.'", number = "'.$number.'", '.
'bsb = "'.$bsb.'", credit = '.$credit.
' WHERE user = "'.$this->user->name.'"';
......@@ -87,21 +87,29 @@ class Banking extends Base {
'<div class="edit"><a href="#">Edit your bank details</a></div>'.
'<form id="banking-form" class="hidden">'.
'<div class="info"><b>Please note:</b> You only need to fill in '.
'your bank details if you are selling to the co-op, and would '.
'your bank details if you are selling to the group, and would '.
'like to be paid to your bank account, rather than receive '.
'credit for your sold goods.</div><br>'.
'<label for="banking-name-input">Account Name: </label>'.
'<input id="banking-name-input" name="name" value="'.
$name.'" size="15" maxlength="100"><br>'.
'<label for="banking-number-input">Account Number: </label>'.
'<input id="banking-number-input" name="number" value="'.
$number.'" size="15" maxlength="20"><br>'.
'<label for="banking-bsb-input">BSB: </label>'.
'<input id="banking-bsb-input" name="bsb" value="'.
$bsb.'" type="text" size="7" maxlength="7"><br>'.
'<label for="banking-credit-input">Receive Credit: </label>'.
'<input type="checkbox" id="banking-credit-input" name="credit" '.
$checked.'><br>'.
'credit for your sold goods.</div>'.
'<div class="form-spacing">'.
'<label for="banking-name-input">Account Name: </label>'.
'<input id="banking-name-input" name="name" value="'.$name.'" '.
'type="text" maxlength="100">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="banking-number-input">Account Number: </label>'.
'<input id="banking-number-input" name="number" value="'.$number.'" '.
'type="text" maxlength="20">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="banking-bsb-input">BSB: </label>'.
'<input id="banking-bsb-input" name="bsb" value="'.$bsb.'" '.
'type="text" maxlength="7">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="banking-credit-input">Receive Credit: </label>'.
'<input type="checkbox" id="banking-credit-input" name="credit"'.
$checked.'>'.
'</div>'.
'<button class="submit">Submit</button>'.
'</form>';
}
......
This diff is collapsed.
<?php
// Dobrado Content Management System
// Copyright (C) 2016 Malcolm Blaney
// Copyright (C) 2017 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -45,7 +45,7 @@ class Comment extends Base {
if ($result = $mysqli->query($query)) {
if ($comment = $result->fetch_assoc()) {
$author = '';
$author_name = htmlspecialchars($comment['author']);
$author_name = $comment['author'];
$author_photo = $comment['author_photo'];
$author_url = $comment['author_url'];
if ($author_url !== '') {
......@@ -194,6 +194,8 @@ class Comment extends Base {
$url = '';
$description = '';
$permalink = '';
// Note that the caller passes all data in $us_content through HTMLPurifier
// so escaping html is not required here.
$us_author = isset($us_content['author']) ? $us_content['author'] : '';
$us_author_photo = isset($us_content['author_photo']) ?
$us_content['author_photo'] : '';
......
<?php
// Dobrado Content Management System
// Copyright (C) 2016 Malcolm Blaney
// Copyright (C) 2017 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -61,6 +61,7 @@ class Commenteditor extends Base {
$blacklist_options.
'</select></div>';
}
// Note: name attribute on inputs is used by extended editor.
$custom = '<form id="extended-custom-settings">'.
'Public comments can be locked so that any further comments can only '.
'be added to the current page by logged in users.'.
......@@ -79,7 +80,8 @@ class Commenteditor extends Base {
'</div>'.
'<div class="form-spacing">'.
'<label for="comment-whitelist-add">Add domain:</label>'.
'<input id="comment-whitelist-add" name="comment-whitelist-add">'.
'<input id="comment-whitelist-add" name="comment-whitelist-add" '.
'type="text">'.
'</div>'.$whitelist_remove.
'<div class="form-spacing">'.
'<label for="comment-blacklist-check">Block specified domains:'.
......@@ -89,7 +91,8 @@ class Commenteditor extends Base {
'</div>'.
'<div class="form-spacing">'.
'<label for="comment-blacklist-add">Add domain:</label>'.
'<input id="comment-blacklist-add" name="comment-blacklist-add">'.
'<input id="comment-blacklist-add" name="comment-blacklist-add" '.
'type="text">'.
'</div>'.$blacklist_remove.
'<button type="submit">Submit</button>'.
'</form>';
......@@ -111,9 +114,7 @@ class Commenteditor extends Base {
// Want to use the new id in the permalink.
$us_author = isset($_POST['name']) ? $_POST['name'] : '';
$us_url = isset($_POST['website']) ? $_POST['website'] : '';
// A comment can only be added via the form as plain text, but also use
// purifier to clean it up as markup will be visible.
$us_description = htmlspecialchars($purifier->purify($_POST['content']));
$us_description = $purifier->purify($_POST['content']);
$us_content = ['author' => $purifier->purify($us_author),
'url' => $purifier->purify($us_url),
'description' => nl2br($us_description, false),
......@@ -176,11 +177,11 @@ class Commenteditor extends Base {
'<form id="comment-form">'.
'<div class="form-spacing">'.
'<label for="comment-name">Name: </label>'.
'<input id="comment-name" size="15" maxlength="50">'.
'<input id="comment-name" type="text" maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="comment-url">Website: </label>'.
'<input id="comment-url" type="url" size="15" maxlength="200">'.
'<input id="comment-url" type="text" maxlength="200">'.
'</div>'.
'<textarea id="comment-content"></textarea><br>'.
'<button class="submit">submit</button>'.
......
......@@ -35,14 +35,14 @@ class Detail extends Base {
}
$mysqli = connect_db();
$first = $mysqli->escape_string($_POST['first']);
$last = $mysqli->escape_string($_POST['last']);
$thumb = $mysqli->escape_string($_POST['thumb']);
$phone = $mysqli->escape_string($_POST['phone']);
$address = $mysqli->escape_string($_POST['address']);
$first = $mysqli->escape_string(htmlspecialchars($_POST['first']));
$last = $mysqli->escape_string(htmlspecialchars($_POST['last']));
$thumb = $mysqli->escape_string(htmlspecialchars($_POST['thumb']));
$phone = $mysqli->escape_string(htmlspecialchars($_POST['phone']));
$address = $mysqli->escape_string(htmlspecialchars($_POST['address']));
$description = isset($_POST['description']) ?
$mysqli->escape_string($_POST['description']) : '';
$follow = $mysqli->escape_string($_POST['follow']);
$mysqli->escape_string(htmlspecialchars($_POST['description'])) : '';
$follow = $mysqli->escape_string(htmlspecialchars($_POST['follow']));
$query = 'INSERT INTO user_detail VALUES ("'.$this->user->name.'", '.
'"'.$first.'", "'.$last.'", "'.$thumb.'", "'.$phone.'", "'.$address.'", '.
'"'.$description.'", "'.$follow.'", 1, 0, "") ON DUPLICATE KEY UPDATE '.
......@@ -87,13 +87,14 @@ class Detail extends Base {
'users.user = user_detail.user WHERE users.user = "'.$this->owner.'"';
if ($result = $mysqli->query($query)) {
if ($detail = $result->fetch_assoc()) {
// email is the only value here that is not escaped when stored.
$email = htmlspecialchars($detail['email']);
$first = htmlspecialchars($detail['first']);
$last = htmlspecialchars($detail['last']);
$phone = htmlspecialchars($detail['phone']);
$address = htmlspecialchars($detail['address']);
$description = htmlspecialchars($detail['description']);
$follow = htmlspecialchars($detail['follow']);
$first = $detail['first'];
$last = $detail['last'];
$phone = $detail['phone'];
$address = $detail['address'];
$description = $detail['description'];
$follow = $detail['follow'];
$thumbnail = $detail['thumbnail'];
if (preg_match('/^(.+)\.(.+)$/', $thumbnail, $match)) {
$name = $match[1];
......@@ -196,29 +197,29 @@ class Detail extends Base {
'<form id="detail-form" class="hidden">'.
'<div class="form-spacing">'.
'<label for="detail-first-input">First Name:</label>'.
'<input id="detail-first-input" value="'.$first.'" size="15" '.
'maxlength="50" type="text">'.
'<input id="detail-first-input" value="'.$first.'" type="text" '.
'maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="detail-last-input">Last Name:</label>'.
'<input id="detail-last-input" value="'.$last.'" size="15" '.
'maxlength="50" type="text">'.
'<input id="detail-last-input" value="'.$last.'" type="text"'.
'maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="detail-thumb-input">Picture:</label>'.
'<input id="detail-thumb-input" value="'.$thumbnail.'" size="15" '.
'maxlength="200"> '.
'<input id="detail-thumb-input" value="'.$thumbnail.'" '.
'type="text" maxlength="200"> '.
'<button class="detail-thumb-browse">browse</button>'.
'</div>'.
'<div class="form-spacing">'.
'<label for="detail-follow-input">Follow:</label>'.
'<input id="detail-follow-input" value="'.$follow.'" size="15" '.
'maxlength="200" type="text">'.
'<input id="detail-follow-input" value="'.$follow.'" type="text" '.
'maxlength="200">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="detail-phone-input">Phone:</label>'.
'<input id="detail-phone-input" value="'.$phone.'" type="tel" '.
'size="15" maxlength="50">'.
'<input id="detail-phone-input" value="'.$phone.'" type="text" '.
'maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="detail-address-textarea">Address:</label>'.
......@@ -318,9 +319,9 @@ class Detail extends Base {
'"",".detail .edit a","font-size","0.8em"',
'"","#detail-form label","width","6em"',
'"","#detail-form .submit","margin-left","6.3em"',
'"","#detail-address-textarea","width","270px"',
'"","#detail-address-textarea","width","300px"',
'"","#detail-address-textarea","height","60px"',
'"","#detail-description-textarea","width","270px"',
'"","#detail-description-textarea","width","300px"',
'"","#detail-description-textarea","height","60px"',
'"",".detail-web-actions a.highlight","font-weight","bold"'];
$this->AddSiteStyle($site_style);
......@@ -397,9 +398,8 @@ class Detail extends Base {
'user_detail ON users.user = user_detail.user WHERE '.$user_query;
if ($result = $mysqli->query($query)) {
while ($detail = $result->fetch_assoc()) {
$object[$detail['user']] =
['first' => htmlspecialchars($detail['first']),
'last' => htmlspecialchars($detail['last'])];
$object[$detail['user']] = ['first' => $detail['first'],
'last' => $detail['last']];
}
$result->close();
}
......@@ -465,13 +465,13 @@ class Detail extends Base {
}
}
$object[$detail['user']] =
['first' => htmlspecialchars($detail['first']),
'last' => htmlspecialchars($detail['last']),
['first' => $detail['first'],
'last' => $detail['last'],
'thumbnail' => $img,
'phone' => htmlspecialchars($detail['phone']),
'description' => htmlspecialchars($detail['description']),
'display' => (int)$detail['display'] === 1 &&
(int)$detail['active'] === 1,
'phone' => $detail['phone'],
'description' => $detail['description'],
'display' => (int)$detail['display'] === 1
&& (int)$detail['active'] === 1,
'reminder_time' => $detail['reminder_time'],
'email' => htmlspecialchars($detail['email']),
'group' => $detail['system_group']];
......@@ -583,12 +583,12 @@ class Detail extends Base {
}
}
$object = ['email' => htmlspecialchars($detail['email']),
'first' => htmlspecialchars($detail['first']),
'last' => htmlspecialchars($detail['last']),
'first' => $detail['first'],
'last' => $detail['last'],
'thumbnail' => $img,
'phone' => htmlspecialchars($detail['phone']),
'address' => htmlspecialchars($detail['address']),
'description' => htmlspecialchars($detail['description']),
'phone' => $detail['phone'],
'address' => $detail['address'],
'description' => $detail['description'],
'display' => $detail['display'] === '1',
'reminderTime' => $detail['reminder_time'],
'reminderRepeat' => $detail['reminder_repeat']];
......
......@@ -448,8 +448,8 @@ class Graph extends Base {
private function Init() {
$object = [];
$id = (int)$_POST['id'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$query = 'SELECT graph_id FROM graph_instance WHERE '.
'user = "'.$this->owner.'" AND box_id = '.$id;
if ($result = $mysqli->query($query)) {
......@@ -511,8 +511,8 @@ class Graph extends Base {
private function RemoveLabel() {
$object = [];
$id = (int)$_POST['id'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$label = $mysqli->escape_string($_POST['label']);
$feed_id = $this->RequestFeedId($id);
$query = 'SELECT '.$this->LabelQuery().' FROM graph_labels WHERE '.
......@@ -546,7 +546,7 @@ class Graph extends Base {
private function NewLabel() {
$object = [];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$id = (int)$_POST['id'];
$label = $mysqli->escape_string($_POST['label']);
$feed_id = $this->RequestFeedId($id);
$query = 'SELECT '.$this->LabelQuery().' FROM graph_labels WHERE '.
......@@ -586,8 +586,8 @@ class Graph extends Base {
private function NewGraph($type) {
$graph_id = 0;
$id = (int)$_POST['id'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$query = 'SELECT MAX(graph_id) AS graph_id FROM graph_instance '.
'WHERE user = "'.$this->owner.'" AND box_id = '.$id;
if ($result = $mysqli->query($query)) {
......@@ -611,9 +611,9 @@ class Graph extends Base {
}
private function RemoveGraph() {
$id = (int)$_POST['id'];
$graph_id = (int)$_POST['graphId'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$graph_id = $mysqli->escape_string($_POST['graphId']);
$query = 'DELETE FROM graph_instance WHERE user = "'.$this->owner.'" '.
'AND box_id = '.$id.' AND graph_id = '.$graph_id;
if (!$mysqli->query($query)) {
......@@ -624,13 +624,15 @@ class Graph extends Base {
}
private function UpdateTitle() {
$id = (int)$_POST['id'];
$graph_id = (int)$_POST['graphId'];
$display_count = (int)$_POST['displayCount'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$graph_id = $mysqli->escape_string($_POST['graphId']);
$title = $mysqli->escape_string($_POST['title']);
$display_count = $mysqli->escape_string($_POST['displayCount']);
$x_axis_format = $mysqli->escape_string($_POST['xAxisFormat']);
$y_axis_format = $mysqli->escape_string($_POST['yAxisFormat']);
$title = $mysqli->escape_string(htmlspecialchars($_POST['title']));
$x_axis_format =
$mysqli->escape_string(htmlspecialchars($_POST['xAxisFormat']));
$y_axis_format =
$mysqli->escape_string(htmlspecialchars($_POST['yAxisFormat']));
$update_query = 'SET title = "'.$title.'"';
if ($display_count !== '') {
$update_query .= ', display_count = '.$display_count;
......@@ -800,7 +802,7 @@ class Graph extends Base {
$feed_id = -1;
if (isset($_POST['id'])) {
$feed_id = $mysqli->escape_string($_POST['id']);
$feed_id = (int)$_POST['id'];
}
// When id isn't set, another module is providing data and expects
// the graph module to know what to do with it.
......@@ -856,13 +858,12 @@ class Graph extends Base {
}
private function RemoveSeries() {
$id = (int)$_POST['id'];
$graph_id = (int)$_POST['graphId'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$graph_id = $mysqli->escape_string($_POST['graphId']);
$y_label = $mysqli->escape_string($_POST['yLabel']);
$x_label = 'time';
if ($graph_id === '') {
if ($graph_id === 0) {
$mysqli->close();
return ['error' => 'graphId not given'];
}
......@@ -874,7 +875,7 @@ class Graph extends Base {
if ($result = $mysqli->query($query)) {
if ($graph_instance = $result->fetch_assoc()) {
if ($graph_instance['graph_type'] === 'custom') {
$x_label = $mysqli->escape_string($_POST['xLabel']);
$x_label = $mysqli->escape_string(htmlspecialchars($_POST['xLabel']));
}
}
$result->close();
......@@ -883,6 +884,7 @@ class Graph extends Base {
$this->Log('Graph->RemoveSeries 1: '.$mysqli->error);
}
$y_label = $mysqli->escape_string(htmlspecialchars($_POST['yLabel']));
$query = 'DELETE FROM graph_pairs WHERE user = "'.$this->owner.'"'.
' AND box_id = '.$id.' AND graph_id = '.$graph_id.
' AND x_label = "'.$x_label.'" AND y_label = "'.$y_label.'" LIMIT 1';
......@@ -894,12 +896,11 @@ class Graph extends Base {
}
private function AddSeries() {
$id = (int)$_POST['id'];
$graph_id = (int)$_POST['graphId'];
$mysqli = connect_db();
$id = $mysqli->escape_string($_POST['id']);
$graph_id = $mysqli->escape_string($_POST['graphId']);
$y_label = $mysqli->escape_string($_POST['yLabel']);
$x_label = 'time';
if ($graph_id === '') {
if ($graph_id === 0) {
$mysqli->close();
return ['error' => 'graphId not given'];
}
......@@ -919,6 +920,7 @@ class Graph extends Base {
$this->Log('Graph->AddSeries 1: '.$mysqli->error);
}
$y_label = $mysqli->escape_string(htmlspecialchars($_POST['yLabel']));
$query = 'INSERT INTO graph_pairs VALUES ("'.$this->owner.'", '.$id.', '.
$graph_id.', "'.$x_label.'", "'.$y_label.'")';
if (!$mysqli->query($query)) {
......@@ -929,8 +931,8 @@ class Graph extends Base {
}
private function ConnectModule() {
$feed_id = (int)$_POST['feedID'];
$mysqli = connect_db();
$feed_id = $mysqli->escape_string($_POST['feedID']);
$label = $mysqli->escape_string($_POST['label']);
$query = 'INSERT INTO graph_connect VALUES ("'.$this->owner.'", '.
'"'.$label.'", '.$feed_id.') ON DUPLICATE KEY UPDATE feed_id = '.$feed_id;
......@@ -942,8 +944,8 @@ class Graph extends Base {
}
private function DisconnectModule() {
$feed_id = (int)$_POST['feedID'];
$mysqli = connect_db();
$feed_id = $mysqli->escape_string($_POST['feedID']);
$label = $mysqli->escape_string($_POST['label']);
$query = 'DELETE FROM graph_connect WHERE user = "'.$this->owner.'" '.
'AND label = "'.$label.'" AND feed_id = '.$feed_id;
......
This diff is collapsed.
......@@ -31,7 +31,6 @@ class Manager extends Base {
if ($us_action === 'search') return $this->Search();
if ($us_action === 'submit') return $this->AddPurchase();
if ($us_action === 'remove') return $this->RemovePurchase();
if ($us_action === 'editDetails') return $this->EditDetails();
if ($us_action === 'loadProducts') return $this->AvailableProducts();
if ($us_action === 'savePurchase') return $this->AddToComposite();
if ($us_action === 'removePurchase') return $this->RemoveFromComposite();
......@@ -113,11 +112,6 @@ class Manager extends Base {
'<label for="manager-username-input">Username:</label>'.
'<input id="manager-username-input" type="text" maxlength="50">'.
'</div>'.
'<div class="details"><b>Contact details:</b> '.
'<button class="edit">edit</button><br>'.
'<span class="fullname"></span> '.
'<span class="email"></span>'.
'</div>'.
'<hr>'.
'<div class="form-spacing">'.
'<label for="manager-product-input">Product:</label>'.
......@@ -169,23 +163,6 @@ class Manager extends Base {
'<button class="remove">remove</button>'.
'</form>'.
'<div class="search-info"></div>'.
'<form id="manager-details-form" class="hidden">'.
'<div class="form-spacing">'.
'<label for="manager-details-first-input">First Name:</label>'.
'<input id="manager-details-first-input" type="text" maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="manager-details-last-input">Last Name:</label>'.
'<input id="manager-details-last-input" type="text" maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="manager-details-phone-input">Phone Number:</label>'.
'<input id="manager-details-phone-input" type="text" size="15" '.
'maxlength="50">'.
'</div><br>'.
'<div id="manager-details-info"></div>'.
'<button class="submit">submit</button>'.
'</form>'.
'<div class="manager-view-all-dialog hidden">'.
'<div class="manager-view-all-total"></div>'.
'</div>';
......@@ -220,8 +197,6 @@ class Manager extends Base {
'"","#manager-form","border-radius","2px"',
'"","#manager-form","padding","5px"',
'"","#manager-form label","width","6em"',
'"","#manager-details-form label","width","7.5em"',
'"","#manager-details-form .submit","margin-left","8em"',
'"","#manager-form .submit","float","right"',
'"","#manager-form .search","float","right"',
'"","#manager-form .search","margin-right","10px"',
......@@ -230,8 +205,7 @@ class Manager extends Base {
'"","label[for=manager-group-input]","float","none"',
'"","label[for=manager-export-data]","float","none"'];
$this->AddSiteStyle($site_style);
return $this->Dependencies(['banking', 'detail', 'invite', 'purchase',
'stock']);
return $this->Dependencies(['banking', 'invite', 'purchase', 'stock']);
}
public function Placement() {
......@@ -348,34 +322,6 @@ class Manager extends Base {
return ['error' => 'Group not found.'];
}
private function EditDetails() {
$result = [];
$joined = [];
$default_group = $this->user->group;
if (isset($_SESSION['purchase-group'])) {
$this->user->group = $_SESSION['purchase-group'];
$invite = new Invite($this->user, $this->owner);
$joined = $invite->Joined();
}
$organiser = new Organiser($this->user, $this->owner);
$mysqli = connect_db();
$username = $mysqli->escape_string($_POST['username']);
if ($organiser->MatchUser($username, $joined)) {
$first = $mysqli->escape_string($_POST['first']);
$last = $mysqli->escape_string($_POST['last']);
$phone = $mysqli->escape_string($_POST['phone']);
$detail = new Detail($this->user, $this->owner);
$detail->UpdateUser($username, $first, $last, $phone);
$result['done'] = true;
}
else {
$result['error'] = 'User not found';
}
$mysqli->close();
$this->user->group = $default_group;
return $result;
}
private function AllProducts() {
$result = [];
$default_group = $this->user->group;
......@@ -389,9 +335,6 @@ class Manager extends Base {
list($result['users'], $result['buyerGroup']) =
$banking->AllBuyers(true, true, $created);
$detail = new Detail($this->user, $this->owner);
$result['details'] = $detail->AllUsers(true, $created);
$stock = new Stock($this->user, $this->owner);
$result['products'] = $stock->AllProducts(true, $this->user->group);
// Need wholesale and retail percent to calculate base price for variably
......
<?php
// Dobrado Content Management System
// Copyright (C) 2016 Malcolm Blaney
// Copyright (C) 2017 Malcolm Blaney
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as
......@@ -36,7 +36,7 @@ class Pager extends Base {
public function Callback() {
if (!$this->user->canEditPage) {
return array('error' => 'You don\'t have permission to edit limit.');
return ['error' => 'You don\'t have permission to edit limit.'];
}
$old_limit = $this->Limit();
......@@ -70,7 +70,7 @@ class Pager extends Base {
$moved = $this->Move($page, 2, true, $limit);
} while ($moved);
}
return array('done' => true);
return ['done' => true];
}
public function CanAdd($page) {
......@@ -92,7 +92,7 @@ class Pager extends Base {
$content .= '<button class="edit-limit">edit</button>'.
'<span class="pager-limit hidden">'.
'<label for="pager-limit-input">Posts per page:</label>'.
'<input id="pager-limit-input" type="text" size="3" maxlength="5" '.
'<input id="pager-limit-input" type="text" maxlength="5" '.
'value = "'.$limit.'">'.
'<button class="save">save</button>'.
'</span>';
......@@ -220,12 +220,12 @@ class Pager extends Base {
}
$mysqli->close();
$template = array('"pager-limit","","10"');
$template = ['"pager-limit","","10"'];
$this->AddTemplate($template);
$site_style = array('"",".pager","min-height","40px"',
'"",".pager .edit-limit","float","left"',
'"",".pager-navigation a","text-decoration","none"',
'"",".pager-next","float","right"');
$site_style = ['"",".pager","min-height","40px"',
'"",".pager .edit-limit","float","left"',
'"",".pager-navigation a","text-decoration","none"',
'"",".pager-next","float","right"'];
$this->AddSiteStyle($site_style);
}
......
......@@ -868,18 +868,19 @@ class Payment extends Base {
$mysqli = connect_db();
$username = $mysqli->escape_string($_POST['username']);
if ($organiser->MatchUser($username)) {
$reference = $mysqli->escape_string($_POST['reference']);
$reference =
$mysqli->escape_string(htmlspecialchars($_POST['reference']));
// The banking reference can't be empty, or longer than 20 characters.
if ($reference === '' || strlen($reference) > 20) {
$object['error'] = 'Bank reference must be 20 characters or less.';
}
else {
$name = $mysqli->escape_string($_POST['name']);
$number = $mysqli->escape_string($_POST['number']);
$bsb = $mysqli->escape_string($_POST['bsb']);
$credit = $mysqli->escape_string($_POST['credit']);
$surcharge = $mysqli->escape_string($_POST['surcharge']);
$deposit = $mysqli->escape_string($_POST['deposit']);
$name = $mysqli->escape_string(htmlspecialchars($_POST['name']));
$number = $mysqli->escape_string(htmlspecialchars($_POST['number']));
$bsb = $mysqli->escape_string(htmlspecialchars($_POST['bsb']));
$credit = (int)$_POST['credit'];
$surcharge = (int)$_POST['surcharge'];
$deposit = (int)$_POST['deposit'];
$buyer_group = $mysqli->escape_string($_POST['buyerGroup']);
$banking = new Banking($this->user, $this->owner);
$object = $banking->UpdateUser($username, $reference, $name, $number,
......@@ -901,9 +902,9 @@ class Payment extends Base {
$mysqli = connect_db();
$username = $mysqli->escape_string($_POST['username']);
$timestamp = (int)($_POST['timestamp'] / 1000);
$reference = $mysqli->escape_string($_POST['reference']);
$amount = $mysqli->escape_string($_POST['amount']);
$comment = $mysqli->escape_string($_POST['comment']);
$reference = $mysqli->escape_string(htmlspecialchars($_POST['reference']));
$amount = $mysqli->escape_string(htmlspecialchars($_POST['amount']));
$comment = $mysqli->escape_string(htmlspecialchars($_POST['comment']));
$new_payment = $_POST['newPayment'] === 'true';
$import_mode = $_POST['importMode'] === 'true';
// If the amount has a $ prefix remove it first.
......@@ -964,12 +965,14 @@ class Payment extends Base {
private function EditSettings() {
$mysqli = connect_db();
$surcharge = $mysqli->escape_string($_POST['surcharge']);
$min_surcharge = $mysqli->escape_string($_POST['minSurcharge']);
$max_surcharge = $mysqli->escape_string($_POST['maxSurcharge']);
$deposit = $mysqli->escape_string($_POST['deposit']);
$info = $mysqli->escape_string($_POST['info']);
$warning = $mysqli->escape_string($_POST['warning']);
$surcharge = $mysqli->escape_string(htmlspecialchars($_POST['surcharge']));
$min_surcharge =
$mysqli->escape_string(htmlspecialchars($_POST['minSurcharge']));
$max_surcharge =
$mysqli->escape_string(htmlspecialchars($_POST['maxSurcharge']));
$deposit = $mysqli->escape_string(htmlspecialchars($_POST['deposit']));
$info = $mysqli->escape_string(htmlspecialchars($_POST['info']));
$warning = $mysqli->escape_string(htmlspecialchars($_POST['warning']));
// If any of the values has a $ prefix remove it first.
if ($surcharge[0] === '$') {
$surcharge = substr($surcharge, 1);
......
......@@ -124,7 +124,7 @@ class Post extends Base {
'<div class="form-spacing">'.
'<label for="post-author-input">Author:</label>'.
'<input id="post-author-input" name="author" type="text" '.
'value="'.htmlspecialchars($post['author']).'" maxlength="50">'.
'value="'.$post['author'].'" maxlength="50">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="post-category-input">Category:</label>'.
......@@ -135,7 +135,7 @@ class Post extends Base {
'<div class="form-spacing">'.
'<label for="post-action-url-input">Webaction Url:</label>'.
'<input id="post-action-url-input" name="webactionUrl" '.
'type="text" value="'.htmlspecialchars($url).'" maxlength="200">'.
'type="text" value="'.$url.'" maxlength="200">'.
'</div>'.
'<div class="form-spacing">'.
'<label for="post-action-type-input">Webaction Type:</label>'.
......@@ -748,7 +748,8 @@ class Post extends Base {
if (isset($us_content['webactionType']) &&
isset($us_content['webactionUrl'])) {
$us_type = $us_content['webactionType'];
$us_url = $us_content['webactionUrl'];
// Want to allow ampersands in urls here so not using htmlspecialchars.