improve code structure

src/assets/js/script.js

@@ -648,13 +648,14 @@ document.querySelector('#submitLogIn').addEventListener('click', async () => {
 });
 
 document.querySelector('#submitNote').addEventListener('click', async () => {
-  const colorSpan = document.querySelector('.colors span.selectionne');
-  const color = colorSpan.classList[0];
   const title = titleNote.value.trim();
   const content = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  const color = document.querySelector('.colors span.selectionne').classList[0];
   const hidden = document.querySelector('#checkHidden').checked;
   const category = document.querySelector('input[name="category"]:checked').value;
-  if (!title || title.length > 30 || content.length > 5000) return;
+
+  if (!title || title.length > 30 || content.length > 5000 || !color) return;
+
   const dbName = 'notes_db';
   const objectStoreName = 'key';
   const db = await openIndexedDB(dbName, objectStoreName);

src/assets/js/scriptConnect.js

@@ -667,15 +667,17 @@ document.querySelector('#submitNote').addEventListener('click', async () => {
     const idNote = document.querySelector('#idNote').value;
     const titleBrut = titleNote.value.trim();
     const contentBrut = contentNote.value.trim().replace(/</g, '&lt;').replace(/>/g, '&gt;');
-    if (!titleBrut || titleBrut.length > 30 || contentBrut.length > 5000) return;
     const title = encodeURIComponent(titleBrut);
     const content = encodeURIComponent(contentBrut);
-    const colorSpan = document.querySelector('.colors span.selectionne');
-    const color = encodeURIComponent(colorSpan.classList[0]);
+    const color = encodeURIComponent(document.querySelector('.colors span.selectionne').classList[0]);
     const date = new Date().toISOString().slice(0, 19).replace('T', ' ');
     const hidden = document.querySelector('#checkHidden').checked ? '1' : '0';
     const category = document.querySelector('input[name="category"]:checked').value;
     const link = encodeURIComponent(document.querySelector('#checkLink').value);
+
+    if (!titleBrut || !color || !date || titleBrut.length > 30 || contentBrut.length > 5000) return;
+    if (isUpdate && !idNote) return;
+
     const data = isUpdate ? `noteId=${idNote}&title=${title}&content=${content}&color=${color}&date=${date}&hidden=${hidden}&category=${category}&link=${link}&csrf_token_note=${document.querySelector('#csrf_token_note').value}` : `title=${title}&content=${content}&color=${color}&date=${date}&hidden=${hidden}&category=${category}&csrf_token_note=${document.querySelector('#csrf_token_note').value}`;
     const url = isUpdate ? '/seguinleo-notes/assets/php/updateNote.php' : '/seguinleo-notes/assets/php/addNote.php';
     const response = await fetch(url, {
@@ -732,6 +734,7 @@ document.querySelector('#submitChangePsswd').addEventListener('click', async ()
 document.querySelector('#submitPrivateNote').addEventListener('click', async () => {
   const id = document.querySelector('#idNotePrivate').value;
   const link = document.querySelector('#linkNotePrivate').value;
+  if (!id || !link) return;
   try {
     const response = await fetch('/seguinleo-notes/assets/php/privateNote.php', {
       method: 'POST',
@@ -751,6 +754,7 @@ document.querySelector('#submitPrivateNote').addEventListener('click', async ()
 
 document.querySelector('#submitPublicNote').addEventListener('click', async () => {
   const id = document.querySelector('#idNotePublic').value;
+  if (!id) return;
   const link = window.crypto.getRandomValues(new Uint8Array(10)).reduce((p, i) => p + (i % 36).toString(36), '');
   try {
     const response = await fetch('/seguinleo-notes/assets/php/publicNote.php', {

src/assets/php/addNote.php

@@ -5,7 +5,7 @@
     http_response_code(403);
     return;
 }
-if (isset($_SESSION['name'], $_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) {
+if (isset($_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) {
     http_response_code(403);
     return;
 }

src/assets/php/createUser.php

@@ -28,7 +28,7 @@
         [
             ':nameCreate' => $nameCreate,
             ':psswdHash'  => $psswdCreateHash,
-            ':OneKey'     => htmlspecialchars($key)
+            ':OneKey'     => htmlspecialchars($key, ENT_QUOTES, 'UTF-8'),
         ]
     );
 } catch (Exception $e) {

src/assets/php/deleteAccount.php

@@ -6,6 +6,10 @@
     http_response_code(403);
     return;
 }
+if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false) {
+    http_response_code(403);
+    return;
+}
 
 require_once __DIR__ . '/config/config.php';
 

src/assets/php/deleteNote.php

@@ -2,7 +2,11 @@
 session_name('__Secure-notes');
 session_start();
 
-if (isset($_SESSION['name'], $_POST['noteId']) === false) {
+if (isset($_SESSION['name'], $_SESSION['userId'], $_POST['noteId']) === false) {
+    http_response_code(403);
+    return;
+}
+if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false || is_numeric($_POST['noteId']) === false) {
     http_response_code(403);
     return;
 }

src/assets/php/getKey.php

@@ -6,6 +6,10 @@
     http_response_code(403);
     return;
 }
+if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false) {
+    http_response_code(403);
+    return;
+}
 
 require_once __DIR__ . '/config/config.php';
 

src/assets/php/getSharedNote.php

@@ -3,7 +3,7 @@
     http_response_code(403);
     return;
 }
-if (preg_match('/^[a-z0-9]+$/', $_POST['noteLink']) === false) {
+if (is_string($_POST['noteLink']) === false) {
     http_response_code(403);
     return;
 }

src/assets/php/privateNote.php

@@ -2,11 +2,11 @@
 session_name('__Secure-notes');
 session_start();
 
-if (isset($_SESSION['name'], $_POST['noteId'], $_POST['noteLink']) === false) {
+if (isset($_SESSION['name'], $_SESSION['userId'], $_POST['noteId'], $_POST['noteLink']) === false) {
     http_response_code(403);
     return;
 }
-if (preg_match('/^[a-z0-9]+$/', $_POST['noteLink']) === false) {
+if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false || is_string($_POST['noteLink']) === false || is_numeric($_POST['noteId']) === false) {
     http_response_code(403);
     return;
 }
@@ -32,9 +32,9 @@
         http_response_code(403);
         return;
     }
-    $directoryPath = '../../share/' . htmlspecialchars($noteLink);
+    $directoryPath = realpath(__DIR__ . '/../../share/') . '/' . $noteLink;
     if (is_dir($directoryPath)) {
-        $files = glob($directoryPath . '/*.*');
+        $files = glob($directoryPath . '/index.html');
         if ($files === false) {
             http_response_code(403);
             return;

src/assets/php/publicNote.php

@@ -2,11 +2,11 @@
 session_name('__Secure-notes');
 session_start();
 
-if (isset($_SESSION['name'], $_POST['noteId'], $_POST['noteLink']) === false) {
+if (isset($_SESSION['name'], $_SESSION['userId'], $_POST['noteId'], $_POST['noteLink']) === false) {
     http_response_code(403);
     return;
 }
-if (preg_match('/^[a-z0-9]+$/', $_POST['noteLink']) === false) {
+if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false || is_string($_POST['noteLink']) === false || is_numeric($_POST['noteId']) === false) {
     http_response_code(403);
     return;
 }
@@ -32,7 +32,7 @@
         http_response_code(403);
         return;
     }
-    $directoryPath = '../../share/' . htmlspecialchars($noteLink);
+    $directoryPath = realpath(__DIR__ . '/../../share/') . '/' . $noteLink;
     if (is_dir($directoryPath) === false) {
         if (mkdir($directoryPath, 0755, true)) {
             $index = fopen($directoryPath . '/index.html', 'w');
@@ -51,9 +51,9 @@
                 <link rel="shortcut icon" href="/seguinleo-notes/favicon.ico" type="image/x-icon">
                 <meta name="viewport" content="width=device-width, initial-scale=1">
                 <meta name="theme-color" content="#171717">
-                <meta http-equiv="Content-Security-Policy" content="default-src 'none'; connect-src 'self'; font-src 'self' https://cdnjs.cloudflare.com/; form-action 'self'; img-src http:; manifest-src 'self'; script-src 'self'; script-src-attr 'none'; script-src-elem 'self'; style-src 'self' https://cdnjs.cloudflare.com/; style-src-attr 'none'; style-src-elem 'self' https://cdnjs.cloudflare.com/; worker-src 'self'">
                 <meta name="apple-mobile-web-app-capable" content="yes">
                 <meta name="apple-mobile-web-app-status-bar-style" content="#171717">
+                <meta http-equiv="Content-Security-Policy" content="default-src 'none'; connect-src 'self'; font-src 'self' https://cdnjs.cloudflare.com/; form-action 'self'; img-src http:; manifest-src 'self'; script-src 'self'; script-src-attr 'none'; script-src-elem 'self'; style-src 'self' https://cdnjs.cloudflare.com/; style-src-attr 'none'; style-src-elem 'self' https://cdnjs.cloudflare.com/; worker-src 'self'">
                 <link rel="stylesheet" href="/seguinleo-notes/share/stylePublic.css">
                 <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css">
             </head>

src/assets/php/updateNote.php

@@ -5,7 +5,11 @@
     http_response_code(403);
     return;
 }
-if (isset($_SESSION['name'], $_POST['noteId'], $_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) {
+if (isset($_POST['noteId'], $_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) {
+    http_response_code(403);
+    return;
+}
+if (is_numeric($_POST['noteId']) === false) {
     http_response_code(403);
     return;
 }

src/assets/php/updatePsswd.php

@@ -10,6 +10,10 @@
     http_response_code(403);
     return;
 }
+if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false) {
+    http_response_code(403);
+    return;
+}
 
 require_once __DIR__ . '/config/config.php';
 

src/de/index.php

@@ -9,6 +9,7 @@
 ];
 session_set_cookie_params($cookieParams);
 session_start();
+session_regenerate_id();
 
 if (isset($_SESSION['name']) === false) {
     $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32));

src/en/index.php

@@ -9,6 +9,7 @@
 ];
 session_set_cookie_params($cookieParams);
 session_start();
+session_regenerate_id();
 
 if (isset($_SESSION['name']) === false) {
     $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32));

src/es/index.php

@@ -9,6 +9,7 @@
 ];
 session_set_cookie_params($cookieParams);
 session_start();
+session_regenerate_id();
 
 if (isset($_SESSION['name']) === false) {
     $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32));

src/index.php

@@ -9,6 +9,7 @@
 ];
 session_set_cookie_params($cookieParams);
 session_start();
+session_regenerate_id();
 
 if (isset($_SESSION['name']) === false) {
     $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32));

src/package.json

@@ -13,6 +13,6 @@
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-plugin-import": "^2.29.0",
     "sass": "^1.69.5",
-    "typescript": "^5.3.0"
+    "typescript": "^5.3.3"
   }
 }

src/share/stylePublic.css

@@ -260,16 +260,6 @@ img {
   margin-left: -2.4rem;
 }
 
-footer {
-  font-size: .8rem;
-  text-align: center;
-  width: 100%;
-  -webkit-user-select: none;
-  user-select: none;
-  position: fixed;
-  bottom: 1rem;
-}
-
 @media(max-width: 900px) {
   body {
     padding: 10px;