Added some more user input validation for reports.

anuko · May 4, 2023 · cd59a56 · cd59a56
1 parent c299c8b
commit cd59a56
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php
@@ -374,6 +374,15 @@ function ttValidInteger($val, $emptyValid = false)
   return true;
 }
 
+// ttValidCheckbox is used to check user input to validate a checkbox on form.
+function ttValidCheckbox($val)
+{
+  if ($val == null)
+    return true;
+
+  return ($val == '1');
+}
+
 // ttValidCronSpec is used to check user input to validate cron specification.
 function ttValidCronSpec($val)
 {

diff --git a/WEB-INF/lib/ttReportHelper.class.php b/WEB-INF/lib/ttReportHelper.class.php
@@ -1866,7 +1866,24 @@ static function verifyBean($bean) {
       }
     }
 
-    // TODO: add additional checks here. Perhaps do it before saving the bean for consistency.
+    // Validate checkboxes.
+    if (!ttValidCheckbox($bean->getAttribute('chclient'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chproject'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chtask'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chinvoice'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chpaid'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chip'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chstart'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chfinish'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chduration'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chnote'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chcost'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chunits'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chtimesheet'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chapproved'))) return false;
+    if (!ttValidCheckbox($bean->getAttribute('chfiles'))) return false;
+
+    // TODO: add additional checks here.
     return true;
   }
 

diff --git a/initialize.php b/initialize.php
@@ -21,7 +21,7 @@
     die("mysqli_report function is not available."); // No point to continue as mysqli will not work.
 }
 
-define("APP_VERSION", "1.22.10.5778");
+define("APP_VERSION", "1.22.11.5779");
 define("APP_DIR", dirname(__FILE__));
 define("LIBRARY_DIR", APP_DIR."/WEB-INF/lib");
 define("TEMPLATE_DIR", APP_DIR."/WEB-INF/templates");