Add escape HTML in various area

b7b42ade · Suhendi · 1aa60b6b · b7b42ade · b7b42ade · b7b42ade
Commit b7b42ade authored 5 years ago by Suhendi
--- a/controller/Account/RegisterController.php
+++ b/controller/Account/RegisterController.php
@@ -23,15 +23,15 @@ class RegisterController extends BaseController {
            } else {
                $biodata = new Entity\GenericEntity(array(
                    "username" => $this->getArg('username'),
-                    "name" => $this->getArg('name'),
-                    "email" => $this->getArg('email'),
-                    "address" => $this->getArg('address'),
-                    "phone" => $this->getArg('phone'),
+                    "name" => escapeHTML($this->getArg('name')),
+                    "email" => escapeHTML($this->getArg('email')),
+                    "address" => escapeHTML($this->getArg('address')),
+                    "phone" => escapeHTML($this->getArg('phone')),
                ));
                try {
                    // Create user.
                    $user = new Entity\AccountEntity(array(
-                        "username" => $this->getArg('username'),
+                        "username" => escapeHTML($this->getArg('username')),
                        "password" => $this->getArg('password')
                    ));
                } catch (Entity\InvalidValueException $e) {

--- a/controller/EditController.php
+++ b/controller/EditController.php
@@ -47,9 +47,9 @@ class EditController extends BaseController {
            //Updating data
            if (isset($this->params["data"]["name"])) {
                $biodata = $model_biodata->findByID($username);
-                $biodata->name = $this->getArg('name');
-                $biodata->address = $this->getArg('address');
-                $biodata->phone = $this->getArg('phone');
+                $biodata->name = escapeHTML($this->getArg('name'));
+                $biodata->address = escapeHTML($this->getArg('address'));
+                $biodata->phone = escapeHTML($this->getArg('phone'));
                
                //Update profile picture
                if (isset($image_id)) {

--- a/framework/lib/util.php
+++ b/framework/lib/util.php
@@ -23,5 +23,8 @@ function alert($message) {
    echo "<script type=\"text/javascript\">alert('$message')</script>";
 }

+function escapeHTML($html) {
+    return str_replace(">", "&gt;", str_replace("<", "&lt;", $html));
+}

 ?>
\ No newline at end of file
--- a/view/biodata.php
+++ b/view/biodata.php
@@ -49,7 +49,7 @@
        <td><img class="icon" src="assets/image/address.png" ></td>
        <td class="data_type">Address </td>
        <td><?php
-        $text = str_replace(">", "&gt;", str_replace("<", "&lt;", $data["address"]));
+        $text = escapeHTML($data["address"]);
        echo $text;
        ?></textarea></td>
    </tr>