PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(formulaire): remove htmlspecialchars from sanitize_string + delete dead $problematique

Browse Source 
HTML-escaping at write time stores &, < etc. in the DB, corrupting full-text
search, tag matching, exports, and any non-HTML consumer. PDO parameterised queries
already prevent SQL injection; templates call htmlspecialchars() on output.

sanitize_string() now does strip_tags(trim()) only — matching the pattern already
used by edit.php which never had this bug.

Also deleted the dead $problematique variable (read from POST[problématique] but
never passed to any INSERT or used anywhere in the codebase).
This commit is contained in:
Pontoporeia
2026-03-27 23:16:12 +01:00
parent f37069720a
commit b0632b4772
2 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
public/admin/actions/formulaire.php
View File

@@ -25,7 +25,9 @@ require_once __DIR__ . '/../../src/Database.php';
// Helper function to sanitize string input
function sanitize_string($input) {
return htmlspecialchars(strip_tags(trim($input)), ENT_QUOTES, 'UTF-8');
// Trim and strip raw HTML tags only — htmlspecialchars belongs at render time, not storage time.
// PDO parameterised queries handle SQL injection; the templates call htmlspecialchars() on output.
return strip_tags(trim($input));
}
// Helper function to validate required field
@@ -81,7 +83,6 @@ try {
$titre = validate_required(sanitize_string($_POST["titre"] ?? ''), "Titre du mémoire");
$subtitle = sanitize_string($_POST["subtitle"] ?? '');
$synopsis = validate_required(sanitize_string($_POST["synopsis"] ?? ''), "Synopsis");
$problematique = sanitize_string($_POST["problématique"] ?? '');
$durationInfo = sanitize_string($_POST["duration_info"] ?? '');
// Jury members