Mascali
/
raspisms
mirror of https://github.com/RaspbianFrance/raspisms.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix de failles xss et limitation des messages dans une discussion à 25

This commit is contained in:
Pierre-Lin Bonnemaison 2015-08-17 02:41:51 +02:00
parent db1b5c35d8
commit 91c25fd917
2 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
controllers/discussions.php
View File

@ -82,8 +82,8 @@
foreach ($sendeds as $sended) foreach ($sendeds as $sended)
{ {
$messages[] = array( $messages[] = array(
'date' => $sended['at'], 'date' => htmlspecialchars($sended['at']),
'text' => $sended['content'], 'text' => htmlspecialchars($sended['content']),
'type' => 'sended', 'type' => 'sended',
); );
} }
@ -91,8 +91,8 @@
foreach ($receiveds as $received) foreach ($receiveds as $received)
{ {
$messages[] = array( $messages[] = array(
'date' => $received['at'], 'date' => htmlspecialchars($received['at']),
'text' => $received['content'], 'text' => htmlspecialchars($received['content']),
'type' => 'received', 'type' => 'received',
); );
} }
@ -100,8 +100,8 @@
foreach ($scheduleds as $scheduled) foreach ($scheduleds as $scheduled)
{ {
$messages[] = array( $messages[] = array(
'date' => $scheduled['at'], 'date' => htmlspecialchars($scheduled['at']),
'text' => $scheduled['content'], 'text' => htmlspecialchars($scheduled['content']),
'type' => 'inprogress', 'type' => 'inprogress',
); );
} }
@ -111,6 +111,9 @@
return strtotime($a["date"]) - strtotime($b["date"]); return strtotime($a["date"]) - strtotime($b["date"]);
}); });
//On récupère uniquement les 25 derniers messages sur l'ensemble
$messages = array_slice($messages, -25);
echo json_encode(['transactionId' => $transactionId, 'messages' => $messages]); echo json_encode(['transactionId' => $transactionId, 'messages' => $messages]);
return true; return true;
} }

12
templates/discussions/show.php
View File

@ -71,8 +71,8 @@
var texte = '' + var texte = '' +
'<div class="clearfix message-container">' + '<div class="clearfix message-container">' +
'<div class="discussion-message message-received">' + '<div class="discussion-message message-received">' +
'<div class="discussion-message-text">' + message.text.replace(/</g, "&lt;").replace(/>/g, "&gt;") + '</div>' + '<div class="discussion-message-text">' + message.text + '</div>' +
'<div class="discussion-message-date">' + message.date.replace(/</g, "&lt;").replace(/>/g, "&gt;") + '</div>' + '<div class="discussion-message-date">' + message.date + '</div>' +
'</div>' + '</div>' +
'</div>'; '</div>';
break; break;
@ -80,8 +80,8 @@
var texte = '' + var texte = '' +
'<div class="clearfix message-container">' + '<div class="clearfix message-container">' +
'<div class="discussion-message message-sended">' + '<div class="discussion-message message-sended">' +
'<div class="discussion-message-text">' + message.text.replace(/</g, "&lt;").replace(/>/g, "&gt;") + '</div>' + '<div class="discussion-message-text">' + message.text + '</div>' +
'<div class="discussion-message-date">' + message.date.replace(/</g, "&lt;").replace(/>/g, "&gt;") + '</div>' + '<div class="discussion-message-date">' + message.date + '</div>' +
'</div>' + '</div>' +
'</div>'; '</div>';
break; break;
@ -90,8 +90,8 @@
'<div class="clearfix message-container">' + '<div class="clearfix message-container">' +
'<div class="discussion-message message-sended">' + '<div class="discussion-message message-sended">' +
'<div class="message-in-progress-hover"><i class="fa fa-spinner fa-spin"></i></div>' + '<div class="message-in-progress-hover"><i class="fa fa-spinner fa-spin"></i></div>' +
'<div class="discussion-message-text">' + message.text.replace(/</g, "&lt;").replace(/>/g, "&gt;") + '</div>' + '<div class="discussion-message-text">' + message.text + '</div>' +
'<div class="discussion-message-date">' + message.date.replace(/</g, "&lt;").replace(/>/g, "&gt;") + '</div>' + '<div class="discussion-message-date">' + message.date + '</div>' +
'</div>' + '</div>' +
'</div>'; '</div>';
break; break;