From b7b42adeeed7c5f29689d9b21c01ff9844e3f669 Mon Sep 17 00:00:00 2001
From: Suhendi <suhendi999@gmail.com>
Date: Sat, 1 Feb 2020 12:46:52 +0700
Subject: [PATCH] Add escape HTML in various area
---
controller/Account/RegisterController.php | 10 +++++-----
controller/EditController.php | 6 +++---
framework/lib/util.php | 3 +++
view/biodata.php | 2 +-
4 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/controller/Account/RegisterController.php b/controller/Account/RegisterController.php
index da6f83a..0e234c1 100644
--- a/controller/Account/RegisterController.php
+++ b/controller/Account/RegisterController.php
@@ -23,15 +23,15 @@ class RegisterController extends BaseController {
} else {
$biodata = new Entity\GenericEntity(array(
"username" => $this->getArg('username'),
- "name" => $this->getArg('name'),
- "email" => $this->getArg('email'),
- "address" => $this->getArg('address'),
- "phone" => $this->getArg('phone'),
+ "name" => escapeHTML($this->getArg('name')),
+ "email" => escapeHTML($this->getArg('email')),
+ "address" => escapeHTML($this->getArg('address')),
+ "phone" => escapeHTML($this->getArg('phone')),
));
try {
// Create user.
$user = new Entity\AccountEntity(array(
- "username" => $this->getArg('username'),
+ "username" => escapeHTML($this->getArg('username')),
"password" => $this->getArg('password')
));
} catch (Entity\InvalidValueException $e) {
diff --git a/controller/EditController.php b/controller/EditController.php
index c73cb3e..6d917d7 100644
--- a/controller/EditController.php
+++ b/controller/EditController.php
@@ -47,9 +47,9 @@ class EditController extends BaseController {
//Updating data
if (isset($this->params["data"]["name"])) {
$biodata = $model_biodata->findByID($username);
- $biodata->name = $this->getArg('name');
- $biodata->address = $this->getArg('address');
- $biodata->phone = $this->getArg('phone');
+ $biodata->name = escapeHTML($this->getArg('name'));
+ $biodata->address = escapeHTML($this->getArg('address'));
+ $biodata->phone = escapeHTML($this->getArg('phone'));
//Update profile picture
if (isset($image_id)) {
diff --git a/framework/lib/util.php b/framework/lib/util.php
index 05c8d0e..d0096ad 100644
--- a/framework/lib/util.php
+++ b/framework/lib/util.php
@@ -23,5 +23,8 @@ function alert($message) {
echo "<script type=\"text/javascript\">alert('$message')</script>";
}
+function escapeHTML($html) {
+ return str_replace(">", ">", str_replace("<", "<", $html));
+}
?>
\ No newline at end of file
diff --git a/view/biodata.php b/view/biodata.php
index b18743a..a1ebc20 100644
--- a/view/biodata.php
+++ b/view/biodata.php
@@ -49,7 +49,7 @@
<td><img class="icon" src="assets/image/address.png" ></td>
<td class="data_type">Address </td>
<td><?php
- $text = str_replace(">", ">", str_replace("<", "<", $data["address"]));
+ $text = escapeHTML($data["address"]);
echo $text;
?></textarea></td>
</tr>
--
GitLab