Skip to content

Commit

Permalink
fix: added missing conversion to HTML entities, removed obsolete code
Browse files Browse the repository at this point in the history
  • Loading branch information
thorsten committed Mar 10, 2023
1 parent 0dc8e52 commit d773df9
Showing 1 changed file with 5 additions and 72 deletions.
77 changes: 5 additions & 72 deletions phpmyfaq/admin/group.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
*/

use phpMyFAQ\Filter;
use phpMyFAQ\Strings;
use phpMyFAQ\User;
use phpMyFAQ\User\CurrentUser;

Expand Down Expand Up @@ -171,7 +172,7 @@
<div class="col-lg-12">
<h2 class="page-header">
<i aria-hidden="true" class="fa fa-users fa-fw"></i>
<?= $PMF_LANG['ad_group_deleteGroup'] ?> "<?= $groupData['name'] ?>"
<?= $PMF_LANG['ad_group_deleteGroup'] ?> "<?= Strings::htmlentities($groupData['name']) ?>"
</h2>
</div>
</header>
Expand Down Expand Up @@ -226,8 +227,8 @@
$user = new User($faqConfig);
$message = '';
$messages = [];
$groupName = Filter::filterInput(INPUT_POST, 'group_name', FILTER_UNSAFE_RAW, '');
$groupDescription = Filter::filterInput(INPUT_POST, 'group_description', FILTER_UNSAFE_RAW, '');
$groupName = Filter::filterInput(INPUT_POST, 'group_name', FILTER_SANITIZE_SPECIAL_CHARS, '');
$groupDescription = Filter::filterInput(INPUT_POST, 'group_description', FILTER_SANITIZE_SPECIAL_CHARS, '');
$groupAutoJoin = Filter::filterInput(INPUT_POST, 'group_auto_join', FILTER_UNSAFE_RAW, '');
$csrfOkay = true;
$csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_UNSAFE_RAW);
Expand All @@ -236,7 +237,7 @@
$csrfOkay = false;
}
// check group name
if ($groupName == '') {
if ($groupName === '') {
$messages[] = $PMF_LANG['ad_group_error_noName'];
}
// ok, let's go
Expand Down Expand Up @@ -336,60 +337,6 @@
<?php
}

// Import LDAP groups
/*
if ('import-ldap-groups' === $groupAction && $user->perm->hasPermission($user->getUserId(), 'addgroup')) {
$user = new CurrentUser($faqConfig);
$message = '';
$messages = [];
// Temporary data
$groupName = 'LDAP Group';
$groupDescription = 'This is a LDAP group import demo';
$groupAutoJoin = false;
$csrfOkay = true;
$csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_UNSAFE_RAW);
if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
$csrfOkay = false;
}
// check group name
if ($groupName == '') {
$messages[] = $PMF_LANG['ad_group_error_noName'];
}
// ok, let's go
if (count($messages) == 0 && $csrfOkay) {
// create group
$groupData = [
'name' => $groupName,
'description' => $groupDescription,
'auto_join' => $groupAutoJoin,
];
if ($user->perm->addGroup($groupData) <= 0) {
$messages[] = $PMF_LANG['ad_adus_dberr'];
}
}
// no errors, show list
if (count($messages) == 0) {
$groupAction = $defaultGroupAction;
$message = sprintf('<p class="alert alert-success">%s</p>', $PMF_LANG['ad_group_suc']);
// display error messages and show form again
} else {
$groupAction = 'import-ldap-groups';
$message = '<p class="alert alert-danger">';
foreach ($messages as $err) {
$message .= $err . '<br>';
}
$message .= '</p>';
}
}
*/

// show list of users
if ('list' === $groupAction) {
?>
Expand All @@ -416,20 +363,6 @@

<div class="col-lg-4" id="group_list">

<!--
<div class="card mb-4">
<div class="card-header py-3">
<form id="group-import-ldap-groups" method="post"
name="group-import-ldap-groups" action="?action=group&amp;group_action=import-ldap-groups">
<input type="hidden" name="csrf" value="<?= $currentUser->getCsrfTokenFromSession() ?>">
<button class="btn btn-success" type="submit">
Import LDAP groups
</button>
</form>
</div>
</div>
-->

<div class="card mb-4">
<form id="group_select" name="group_select" action="?action=group&amp;group_action=delete_confirm"
method="post">
Expand Down

0 comments on commit d773df9

Please sign in to comment.