Commit aad27822 authored by Normann Lou's avatar Normann Lou

FIX: Sanitize User input

obey code conversion - rules for 120 chars
parent 4c6dd56d
......@@ -29,10 +29,11 @@ class UnsubscribeController extends Page_Controller {
$mailingListID = (int)$this->urlParams['MailingList'];
if($mailingListID) {
return $mailingList = DataObject::get_by_id("NewsletterType", $mailingListID);
return $mailingList = DataObject::get_by_id("NewsletterType", Convert::raw2sql($mailingListID));
}else{
if(isset($_GET['MailingLists']) && !empty($_GET['MailingLists']) && is_array($_GET['MailingLists'])){
return DataObject::get("NewsletterType", "ID IN (".implode(",", $_GET['MailingLists']).")");
return DataObject::get("NewsletterType",
"ID IN (".implode(",", Convert::raw2sql($_GET['MailingLists'])).")");
};
}
}
......@@ -49,7 +50,8 @@ class UnsubscribeController extends Page_Controller {
// then unsubscribe the user
if($member && isset($mailingList) && $mailingList->exists() && $member->inGroup($mailingList->GroupID)) {
$this->unsubscribeFromList($member, $mailingList);
$url = Director::absoluteBaseURL() . $this->RelativeLink('done') . "/" . $member->AutoLoginHash . "/" . $mailingList->ID;
$url = Director::absoluteBaseURL() . $this->RelativeLink('done') . "/" .
$member->AutoLoginHash . "/" . $mailingList->ID;
Director::redirect($url);
return $url;
} elseif($member) {
......@@ -75,7 +77,8 @@ class UnsubscribeController extends Page_Controller {
}elseif(is_a($mailingList, "NewsletterType")){
$nlTypes = $mailingList->Title;
}
self::$done_message = sprintf(_t('Unsubscribe.REMOVESUCCESS', 'Thank you. %s will no longer receive the %s.'), $email, $nlTypes);
self::$done_message = sprintf(_t('Unsubscribe.REMOVESUCCESS',
'Thank you. %s will no longer receive the %s.'), $email, $nlTypes);
}
$form -> setMessage(self::$done_message, 'good');
self::$done_message = null;
......@@ -89,13 +92,16 @@ class UnsubscribeController extends Page_Controller {
$form = new Form($this, "UnsubscribeLinkSent", new FieldSet(), new FieldSet);
if(isset($_GET['SendEmail']) && $_GET['SendEmail']){
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENTTO', "The unsubscribe link has been sent to %s"), $_GET['SendEmail']), "good");
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENTTO', "The unsubscribe link has been sent to %s"),
$_GET['SendEmail']), "good");
return $this->customise(array(
'Title' => _t('Unsubscribe.LINKSENT', 'Unsubscrib Link Sent'),
'Form' => $form
))->renderWith('Page');
}elseif(isset($_GET['SendError']) && $_GET['SendError']){
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENDERR', "Sorry, currently we have internal error, and can't send the unsubscribe link to %s"), $_GET['SendError']), "good");
$form -> setMessage(sprintf(_t('Unsubscribe.LINKSENDERR',
"Sorry, currently we have internal error, and can't send the unsubscribe link to %s"),
$_GET['SendError']), "good");
return $this->customise(array(
'Title' => _t('Unsubscribe.LINKNOTSEND', 'Unsubscrib Link Can\'t Be Sent'),
'Form' => $form
......@@ -125,7 +131,7 @@ class UnsubscribeController extends Page_Controller {
*/
function sendmeunsubscribelink( $data) {
if(isset($data['Email']) && $data['Email']) {
$member = DataObject::get_one("Member", "Email = '".$data['Email']."'");
$member = DataObject::get_one("Member", "Email = '".Convert::raw2sql($data['Email'])."'");
if($member){
if(!$from = Email::getAdminEmail()){
$from = 'noreply@'.Director::BaseURL();
......@@ -154,13 +160,16 @@ HTML
$email = new Email($from, $to, $subject, $body);
$result = $email -> send();
if($result){
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('linksent') . "?SendEmail=".$data['Email']);
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('linksent') .
"?SendEmail=".$data['Email']);
}else{
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('linksent') . "?SendError=".$data['Email']);
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('linksent') .
"?SendError=".$data['Email']);
}
}else{
$form = $this->EmailAddressForm();
$message = sprintf(_t("Unsubscribe.NOTSIGNUP", "Sorry, '%s' doesn't appear to be an sign-up member with us"), $data['Email']);
$message = sprintf(_t("Unsubscribe.NOTSIGNUP",
"Sorry, '%s' doesn't appear to be an sign-up member with us"), $data['Email']);
$form->sessionMessage($message, 'bad');
Director::redirectBack();
}
......@@ -180,15 +189,18 @@ HTML
if( $data['MailingLists'] ) {
$mailingLists = array();
foreach( array_keys( $data['MailingLists'] ) as $listID ){
$list = DataObject::get_by_id( 'NewsletterType', $listID );
$list = DataObject::get_by_id( 'NewsletterType', Convert::raw2sql($listID));
$this->unsubscribeFromList( $member, $list);
$mailingLists[] = "MailingLists[]=".$listID;
}
$liststring = implode("&", $mailingLists);
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('done') . "/" . $member->AutoLoginHash . "?" . $liststring);
Director::redirect(Director::absoluteBaseURL() . $this->RelativeLink('done') . "/" .
$member->AutoLoginHash . "?" . $liststring);
return;
} else {
$form->addErrorMessage('MailingLists', _t('Unsubscribe.NOMLSELECTED', 'You need to select at least one mailing list to unsubscribe from.'), 'bad');
$form->addErrorMessage('MailingLists', _t('Unsubscribe.NOMLSELECTED',
'You need to select at least one mailing list to unsubscribe from.'),
'bad');
Director::redirectBack();
}
}
......
......@@ -261,7 +261,7 @@ JS
if(isset($data["NewsletterSelection"])){
foreach($data["NewsletterSelection"] as $n){
$newsletterType = DataObject::get_by_id("NewsletterType", $n);
$newsletterType = DataObject::get_by_id("NewsletterType", Convert::raw2sql($n));
if($newsletterType->exists()){
$newsletters[] = $newsletterType;
......@@ -328,7 +328,7 @@ JS
function complete(){
if($id = $this->urlParams['ID']){
$memberData = DataObject::get_by_id("Member", $id)->getAllFields();
$memberData = DataObject::get_by_id("Member", Convert::raw2sql($id))->getAllFields();
}
return $this->customise(array(
'Title' => _t('SubscriptionCompleted', 'Subscription completed!'),
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment