mirror of
https://github.com/tuxis-ie/nsedit.git
synced 2025-05-07 22:42:21 +03:00
Add validation and 'htmlspecialchars' to keep Teun from breaking stuff
This commit is contained in:
parent
858830915f
commit
b457495426
3 changed files with 20 additions and 0 deletions
|
@ -21,6 +21,7 @@ function get_all_users() {
|
|||
$r = $db->query('SELECT id, emailaddress, isadmin FROM users');
|
||||
$ret = array();
|
||||
while ($row = $r->fetchArray()) {
|
||||
$row['emailaddress'] = htmlspecialchars($row['emailaddress']);
|
||||
array_push($ret, $row);
|
||||
}
|
||||
|
||||
|
|
|
@ -14,11 +14,18 @@ if (isset($_GET['action'])) {
|
|||
_jtable_respond(null, 'error', 'No action given');
|
||||
}
|
||||
|
||||
function _valid_user($name) {
|
||||
return ( bool ) ! preg_match( '/^[a-z0-9@_.-]+$/i' , $name );
|
||||
}
|
||||
|
||||
|
||||
if ($action == "list") {
|
||||
$users = get_all_users();
|
||||
_jtable_respond($users);
|
||||
} elseif ($action == "create" or $action == "update") {
|
||||
if (_valid_user($_POST['emailaddress']) === FALSE) {
|
||||
_jtable_respond(null, 'error', "Please only use [a-z0-9@_/.-] for usernames");
|
||||
}
|
||||
$isadmin = $_POST['isadmin'] ? $_POST['isadmin'] : '0';
|
||||
if (add_user($_POST['emailaddress'], $isadmin, $_POST['password']) === TRUE) {
|
||||
unset($_POST['password']);
|
||||
|
|
12
zones.php
12
zones.php
|
@ -41,11 +41,18 @@ function _do_curl($method, $opts = null, $type = 'post') {
|
|||
}
|
||||
}
|
||||
|
||||
function _valid_label($name) {
|
||||
return ( bool ) ! preg_match( '/^[a-z0-9_/.-]+$/i' , $name );
|
||||
}
|
||||
|
||||
function _create_record($name, $records, $input, $zoneurl) {
|
||||
global $defaults;
|
||||
|
||||
$content = ($input['type'] == "TXT") ? '"'.$input['content'].'"' : $input['content'];
|
||||
|
||||
if (_valid_label($input['name']) === FALSE) {
|
||||
_jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
|
||||
}
|
||||
if (is_ascii($content) === FALSE or is_ascii($input['name']) === FALSE) {
|
||||
_jtable_respond(null, 'error', "Please only use ASCII-characters in your fields");
|
||||
}
|
||||
|
@ -143,6 +150,7 @@ if ($action == "list" or $action== "listslaves") {
|
|||
if (check_owner($zone['name']) === FALSE)
|
||||
continue;
|
||||
|
||||
$zone['name'] = htmlspecialchars($zone['name']);
|
||||
$zone['owner'] = get_zone_owner($zone['name']);
|
||||
if ($action == "listslaves" and $zone['kind'] == "Slave") {
|
||||
array_push($return, $zone);
|
||||
|
@ -153,6 +161,9 @@ if ($action == "list" or $action== "listslaves") {
|
|||
usort($return, "zonesort");
|
||||
_jtable_respond($return);
|
||||
} elseif ($action == "create") {
|
||||
if (_valid_label($_POST['name']) === FALSE) {
|
||||
_jtable_respond(null, 'error', "Please only use [a-z0-9_/.-]");
|
||||
}
|
||||
if ($_POST['kind'] != null and $_POST['name'] != null) {
|
||||
$nameservers = array();
|
||||
if ($_POST['kind'] != "Slave") {
|
||||
|
@ -205,6 +216,7 @@ if ($action == "list" or $action== "listslaves") {
|
|||
$any = array();
|
||||
foreach ($rows['records'] as $idx => $record) {
|
||||
$rows['records'][$idx]['id'] = json_encode($record);
|
||||
$record['name'] = htmlspecialchars($record['name']);
|
||||
if ($record['type'] == 'SOA') { array_push($soa, $rows['records'][$idx]); }
|
||||
elseif ($record['type'] == 'NS') { array_push($ns, $rows['records'][$idx]); }
|
||||
elseif ($record['type'] == 'MX') { array_push($mx, $rows['records'][$idx]); }
|
||||
|
|
Loading…
Add table
Reference in a new issue