Commit 7dad4157 authored by Normann Lou's avatar Normann Lou

FIX: Sanitize user inputs

also change to obey code convention - 120 chars maximal line length
parent 12663a36
......@@ -48,7 +48,8 @@ class SubscriptionPage extends Page{
//Fields selction
$dataFields = singleton('Member')->getCMSFields()->dataFields();
//Since the subscription form is focuse add a member to newsletter groups, we should avoid Password stuff and leave it to member forget/reset password mechanism.
//Since the subscription form is focuse add a member to newsletter groups, we should avoid Password
//stuff and leave it to member forget/reset password mechanism.
if(isset($dataFields['Password'])) unset($dataFields['Password']);
$fieldCandidates = array();
......@@ -59,7 +60,8 @@ class SubscriptionPage extends Page{
}
$memberFields = singleton('Member')->getMemberFormFields()->dataFields();
//Since Email field is the member's identifier, and newsletters subscription is non-sence if no email is given by the user, we should force that email to be checked and required.
//Since Email field is the member's identifier, and newsletters subscription is non-sence if no email is
//given by the user, we should force that email to be checked and required.
$defaults = array("Email");
if(count($memberFields)){
foreach($memberFields as $fieldName => $memberField){
......@@ -242,7 +244,7 @@ JS
$newsletters = array();
if(isset($data["NewsletterSelection"])){
foreach($data["NewsletterSelection"] as $n){
$newsletterType = DataObject::get_by_id("NewsletterType", $n);
$newsletterType = DataObject::get_by_id("NewsletterType", Convert::raw2sql($n));
if($newsletterType->exists()){
$newsletters[] = $newsletterType;
$groupID = $newsletterType->GroupID;
......@@ -304,7 +306,7 @@ JS
function complete(){
if($id = $this->urlParams['ID']){
$memberData = DataObject::get_by_id("Member", $id)->getAllFields();
$memberData = DataObject::get_by_id("Member", Convert::raw2sql($id))->getAllFields();
}
return $this->customise(array(
'Title' => _t('SubscriptionCompleted', 'Subscription completed!'),
......
......@@ -30,13 +30,14 @@ class Unsubscribe_Controller extends Page_Controller {
}
private function getMailingList(){
$mailingListID = (int)$this->urlParams['MailingList'];
$mailingListID = Convert::raw2sql($this->urlParams['MailingList']);
if($mailingListID) {
return $mailingList = DataObject::get_by_id("NewsletterType", $mailingListID);
return $mailingList = DataObject::get_by_id("NewsletterType", (int)$mailingListID);
}else{
if(isset($_GET['MailingLists']) && !empty($_GET['MailingLists']) && is_array($_GET['MailingLists'])){
return DataObject::get("NewsletterType", "ID IN (".implode(",", $_GET['MailingLists']).")");
return DataObject::get("NewsletterType", "ID IN (".implode(",",
Convert::raw2sql($_GET['MailingLists'])).")");
};
}
}
......@@ -52,7 +53,8 @@ class Unsubscribe_Controller extends Page_Controller {
// then unsubscribe the user
if($member && isset($mailingList) && $mailingList->exists() && $member->inGroup($mailingList->GroupID)) {
$this->unsubscribeFromList($member, $mailingList);
$url = Director::absoluteBaseURL() . $this->RelativeLink('done') . "/" . $member->AutoLoginHash . "/" . $mailingList->ID;
$url = Director::absoluteBaseURL() . $this->RelativeLink('done')
. "/" . $member->AutoLoginHash . "/" . $mailingList->ID;
Director::redirect($url);
return $url;
} elseif($member) {
......@@ -78,7 +80,8 @@ class Unsubscribe_Controller extends Page_Controller {
}elseif(is_a($mailingList, "NewsletterType")){
$nlTypes = $mailingList->Title;
}
self::$done_message = sprintf(_t('Unsubscribe.REMOVESUCCESS', 'Thank you. %s will no longer receive the %s.'), $email, $nlTypes);
self::$done_message = sprintf(_t('Unsubscribe.REMOVESUCCESS',
'Thank you. %s will no longer receive the %s.'), $email, $nlTypes);
}
$form -> setMessage(self::$done_message, 'good');
self::$done_message = null;
......@@ -92,13 +95,16 @@ class Unsubscribe_Controller extends Page_Controller {
$form = new Form($this, "UnsubscribeLinkSent", new FieldSet(), new FieldSet);
if(isset($_GET['SendEmail']) && $_GET['SendEmail']){
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENTTO', "The unsubscribe link has been sent to %s"), $_GET['SendEmail']), "good");
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENTTO',
"The unsubscribe link has been sent to %s"), $_GET['SendEmail']), "good");
return $this->customise(array(
'Title' => _t('Unsubscribe.LINKSENT', 'Unsubscrib Link Sent'),
'Form' => $form
))->renderWith('Page');
}elseif(isset($_GET['SendError']) && $_GET['SendError']){
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENDERR', "Sorry, currently we have internal error, and can't send the unsubscribe link to %s"), $_GET['SendError']), "good");
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENDERR',
"Sorry, currently we have internal error, and can't send the unsubscribe link to %s"),
$_GET['SendError']), "good");
return $this->customise(array(
'Title' => _t('Unsubscribe.LINKNOTSEND', 'Unsubscrib Link Can\'t Be Sent'),
'Form' => $form
......@@ -126,7 +132,7 @@ class Unsubscribe_Controller extends Page_Controller {
*/
function sendmeunsubscribelink( $data) {
if(isset($data['Email']) && $data['Email']) {
$member = DataObject::get_one("Member", "Email = '".$data['Email']."'");
$member = DataObject::get_one("Member", "Email = '".Convert::raw2sql($data['Email'])."'");
if($member){
if(!$from = Email::getAdminEmail()){
$from = 'noreply@'.Director::BaseURL();
......@@ -156,13 +162,16 @@ HTML
$email = new Email($from, $to, $subject, $body);
$result = $email -> send();
if($result){
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('linksent') . "?SendEmail=".$data['Email']);
Director::redirect(Director::absoluteBaseURL()
. $this->RelativeLink('linksent') . "?SendEmail=".$data['Email']);
}else{
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('linksent') . "?SendError=".$data['Email']);
Director::redirect(Director::absoluteBaseURL()
. $this->RelativeLink('linksent') . "?SendError=".$data['Email']);
}
}else{
$form = $this->EmailAddressForm();
$message = sprintf(_t("Unsubscribe.NOTSIGNUP", "Sorry, '%s' doesn't appear to be an sign-up member with us"), $data['Email']);
$message = sprintf(_t("Unsubscribe.NOTSIGNUP",
"Sorry, '%s' doesn't appear to be an sign-up member with us"), $data['Email']);
$form->sessionMessage($message, 'bad');
Director::redirectBack();
}
......@@ -183,15 +192,17 @@ HTML
if( $data['MailingLists'] ) {
$mailingLists = array();
foreach( array_keys( $data['MailingLists'] ) as $listID ){
$list = DataObject::get_by_id( 'NewsletterType', $listID );
$list = DataObject::get_by_id( 'NewsletterType', Convert::raw2sql($listID ));
$this->unsubscribeFromList( $member, $list);
$mailingLists[] = "MailingLists[]=".$listID;
}
$liststring = implode("&", $mailingLists);
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('done') . "/" . $member->AutoLoginHash . "?" . $liststring);
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('done') . "/
" . $member->AutoLoginHash . "?" . $liststring);
return;
} else {
$form->addErrorMessage('MailingLists', _t('Unsubscribe.NOMLSELECTED', 'You need to select at least one mailing list to unsubscribe from.'), 'bad');
$form->addErrorMessage('MailingLists', _t('Unsubscribe.NOMLSELECTED',
'You need to select at least one mailing list to unsubscribe from.'), 'bad');
Director::redirectBack();
}
}
......@@ -226,7 +237,8 @@ class Unsubscribe_MailingListForm extends Form {
$lists = $this->getMailingLists( $member );
if( $lists ) {
$fields->push( new LabelField('SubscribedToLabel', _t('Unsubcribe.CHECKTOUNSUBSCRIBE', 'Check the newsletter(s) you want to unsubscribe')) );
$fields->push( new LabelField('SubscribedToLabel', _t('Unsubcribe.CHECKTOUNSUBSCRIBE',
'Check the newsletter(s) you want to unsubscribe')) );
$fields->push( new CheckboxSetField("MailingLists", "", $lists));
$actions->push( new FormAction('unsubscribe', _t('Unsubscribe.UNSUBSCRIBE', 'Unsubscribe') ) );
......@@ -234,7 +246,8 @@ class Unsubscribe_MailingListForm extends Form {
parent::__construct( $controller, $name, $fields, $actions, $validator);
} else {
parent::__construct( $controller, $name, $fields, $actions);
$this->setMessage(_t('Unsubscribe.NOTINMAILINGLISTS', 'Sorry, your don\'t appear to be in any of our mailing lists.'), 'warning');
$this->setMessage(_t('Unsubscribe.NOTINMAILINGLISTS',
'Sorry, your don\'t appear to be in any of our mailing lists.'), 'warning');
}
$this->disableSecurityToken();
......@@ -247,9 +260,11 @@ class Unsubscribe_MailingListForm extends Form {
protected function getMailingLists( $member ) {
// get all the newsletter types that the member is subscribed to
if(defined('Database::USE_ANSI_SQL')) {
return DataObject::get( 'NewsletterType', "\"MemberID\"='{$member->ID}'", null, "LEFT JOIN \"Group_Members\" USING(\"GroupID\")" );
return DataObject::get( 'NewsletterType', "\"MemberID\"='{$member->ID}'", null,
"LEFT JOIN \"Group_Members\" USING(\"GroupID\")" );
} else {
return DataObject::get( 'NewsletterType', "`MemberID`='{$member->ID}'", null, "LEFT JOIN `Group_Members` USING(`GroupID`)" );
return DataObject::get( 'NewsletterType', "`MemberID`='{$member->ID}'", null,
"LEFT JOIN `Group_Members` USING(`GroupID`)" );
}
}
......@@ -270,7 +285,8 @@ class Unsubscribe_EmailAddressForm extends Form {
);
$actions = new FieldSet(
new FormAction( 'sendmeunsubscribelink', _t('Unsubscribe.SENDMEUNSUBSCRIBELINK', 'Send me unsubscribe link'))
new FormAction( 'sendmeunsubscribelink',
_t('Unsubscribe.SENDMEUNSUBSCRIBELINK', 'Send me unsubscribe link'))
);
parent::__construct( $controller, $name, $fields, $actions, new RequiredFields(array('Email')));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment