From: Nik Okuntseff <support@anuko.com>
Date: Sun, 30 Jun 2019 13:55:11 +0000 (+0000)
Subject: Added user input validation for custom fields on user_add.php.
X-Git-Tag: timetracker_1.19-1~4
X-Git-Url: http://wagnertech.de/git?p=timetracker.git;a=commitdiff_plain;h=e60cc9646c000aedf94c2845337532001fdb5520

Added user input validation for custom fields on user_add.php.
---

diff --git a/WEB-INF/templates/footer.tpl b/WEB-INF/templates/footer.tpl
index ab50afe5..8fe67f33 100644
--- a/WEB-INF/templates/footer.tpl
+++ b/WEB-INF/templates/footer.tpl
@@ -12,7 +12,7 @@
       <br>
       <table cellspacing="0" cellpadding="4" width="100%" border="0">
         <tr>
-          <td align="center">&nbsp;Anuko Time Tracker 1.19.7.5025 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
+          <td align="center">&nbsp;Anuko Time Tracker 1.19.7.5026 | Copyright &copy; <a href="https://www.anuko.com/lp/tt_3.htm" target="_blank">Anuko</a> |
             <a href="https://www.anuko.com/lp/tt_4.htm" target="_blank">{$i18n.footer.credits}</a> |
             <a href="https://www.anuko.com/lp/tt_5.htm" target="_blank">{$i18n.footer.license}</a> |
             <a href="https://www.anuko.com/lp/tt_7.htm" target="_blank">{$i18n.footer.improve}</a>
diff --git a/WEB-INF/templates/user_add.tpl b/WEB-INF/templates/user_add.tpl
index 3f00c359..35040f3c 100644
--- a/WEB-INF/templates/user_add.tpl
+++ b/WEB-INF/templates/user_add.tpl
@@ -109,8 +109,6 @@ function handleClientControl() {
     </tr>
   {/foreach}
 {/if}
-
-
     <tr>
       <td align="right">{$i18n.form.users.default_rate}&nbsp;(0{$user->getDecimalMark()}00):</td>
       <td>{$forms.userForm.rate.control}</td>
diff --git a/user_add.php b/user_add.php
index a3d956ea..d6a24e3a 100644
--- a/user_add.php
+++ b/user_add.php
@@ -172,8 +172,20 @@ if ($request->isPost()) {
   if (!ttValidEmail($cl_email, true)) $err->add($i18n->get('error.field'), $i18n->get('label.email'));
   // Require selection of a client for a client role.
   if ($user->isPluginEnabled('cl') && ttRoleHelper::isClientRole($cl_role_id) && !$cl_client_id) $err->add($i18n->get('error.client'));
-  if (!ttValidFloat($cl_rate, true)) $err->add($i18n->get('error.field'), $i18n->get('form.users.default_rate'));
   if (!ttValidFloat($cl_quota_percent, true)) $err->add($i18n->get('error.field'), $i18n->get('label.quota'));
+  // Validate input in user custom fields.
+  if ($custom_fields && $custom_fields->userFields) {
+    foreach ($custom_fields->userFields as $userField) {
+      $control_name = 'user_field_'.$userField['id'];
+      $field_label = htmlspecialchars($userField['label']);
+      $field_type = $userField['type'];
+      $required = $userField['required'];
+      $field_value = trim($request->getParameter($control_name));
+      // Validation is the same for text and dropdown fields.
+      if (!ttValidString($field_value, !$required)) $err->add($i18n->get('error.field'), $field_label);
+    }
+  }
+  if (!ttValidFloat($cl_rate, true)) $err->add($i18n->get('error.field'), $i18n->get('form.users.default_rate'));
   if (!ttUserHelper::canAdd()) $err->add($i18n->get('error.user_count'));
 
   if ($err->no()) {

Anuko Time Tracker 1.19.7.5025 \| Copyright © Anuko \| +	Anuko Time Tracker 1.19.7.5026 \| Copyright © Anuko \| {$i18n.footer.credits} \| {$i18n.footer.license} \| {$i18n.footer.improve} diff --git a/WEB-INF/templates/user_add.tpl b/WEB-INF/templates/user_add.tpl index 3f00c359..35040f3c 100644 --- a/WEB-INF/templates/user_add.tpl +++ b/WEB-INF/templates/user_add.tpl @@ -109,8 +109,6 @@ function handleClientControl() {
{$i18n.form.users.default_rate} (0{$user->getDecimalMark()}00):	{$forms.userForm.rate.control}