From b3db838445f2f941c1298d11b529c23177a71ecb Mon Sep 17 00:00:00 2001 From: seguinleo Date: Wed, 13 Dec 2023 15:11:53 +0100 Subject: [PATCH] improve code structure --- src/assets/js/script.js | 7 ++++--- src/assets/js/scriptConnect.js | 10 +++++++--- src/assets/php/addNote.php | 2 +- src/assets/php/createUser.php | 2 +- src/assets/php/deleteAccount.php | 4 ++++ src/assets/php/deleteNote.php | 6 +++++- src/assets/php/getKey.php | 4 ++++ src/assets/php/getSharedNote.php | 2 +- src/assets/php/privateNote.php | 8 ++++---- src/assets/php/publicNote.php | 8 ++++---- src/assets/php/updateNote.php | 6 +++++- src/assets/php/updatePsswd.php | 4 ++++ src/de/index.php | 1 + src/en/index.php | 1 + src/es/index.php | 1 + src/index.php | 1 + src/package-lock.json | 2 +- src/package.json | 2 +- src/share/stylePublic.css | 10 ---------- 19 files changed, 50 insertions(+), 31 deletions(-) diff --git a/src/assets/js/script.js b/src/assets/js/script.js index 8663de9..efe5e64 100644 --- a/src/assets/js/script.js +++ b/src/assets/js/script.js @@ -648,13 +648,14 @@ document.querySelector('#submitLogIn').addEventListener('click', async () => { }); document.querySelector('#submitNote').addEventListener('click', async () => { - const colorSpan = document.querySelector('.colors span.selectionne'); - const color = colorSpan.classList[0]; const title = titleNote.value.trim(); const content = contentNote.value.trim().replace(//g, '>'); + const color = document.querySelector('.colors span.selectionne').classList[0]; const hidden = document.querySelector('#checkHidden').checked; const category = document.querySelector('input[name="category"]:checked').value; - if (!title || title.length > 30 || content.length > 5000) return; + + if (!title || title.length > 30 || content.length > 5000 || !color) return; + const dbName = 'notes_db'; const objectStoreName = 'key'; const db = await openIndexedDB(dbName, objectStoreName); diff --git a/src/assets/js/scriptConnect.js b/src/assets/js/scriptConnect.js index 98652a0..7fd78dc 100644 --- a/src/assets/js/scriptConnect.js +++ b/src/assets/js/scriptConnect.js @@ -667,15 +667,17 @@ document.querySelector('#submitNote').addEventListener('click', async () => { const idNote = document.querySelector('#idNote').value; const titleBrut = titleNote.value.trim(); const contentBrut = contentNote.value.trim().replace(//g, '>'); - if (!titleBrut || titleBrut.length > 30 || contentBrut.length > 5000) return; const title = encodeURIComponent(titleBrut); const content = encodeURIComponent(contentBrut); - const colorSpan = document.querySelector('.colors span.selectionne'); - const color = encodeURIComponent(colorSpan.classList[0]); + const color = encodeURIComponent(document.querySelector('.colors span.selectionne').classList[0]); const date = new Date().toISOString().slice(0, 19).replace('T', ' '); const hidden = document.querySelector('#checkHidden').checked ? '1' : '0'; const category = document.querySelector('input[name="category"]:checked').value; const link = encodeURIComponent(document.querySelector('#checkLink').value); + + if (!titleBrut || !color || !date || titleBrut.length > 30 || contentBrut.length > 5000) return; + if (isUpdate && !idNote) return; + const data = isUpdate ? `noteId=${idNote}&title=${title}&content=${content}&color=${color}&date=${date}&hidden=${hidden}&category=${category}&link=${link}&csrf_token_note=${document.querySelector('#csrf_token_note').value}` : `title=${title}&content=${content}&color=${color}&date=${date}&hidden=${hidden}&category=${category}&csrf_token_note=${document.querySelector('#csrf_token_note').value}`; const url = isUpdate ? '/seguinleo-notes/assets/php/updateNote.php' : '/seguinleo-notes/assets/php/addNote.php'; const response = await fetch(url, { @@ -732,6 +734,7 @@ document.querySelector('#submitChangePsswd').addEventListener('click', async () document.querySelector('#submitPrivateNote').addEventListener('click', async () => { const id = document.querySelector('#idNotePrivate').value; const link = document.querySelector('#linkNotePrivate').value; + if (!id || !link) return; try { const response = await fetch('/seguinleo-notes/assets/php/privateNote.php', { method: 'POST', @@ -751,6 +754,7 @@ document.querySelector('#submitPrivateNote').addEventListener('click', async () document.querySelector('#submitPublicNote').addEventListener('click', async () => { const id = document.querySelector('#idNotePublic').value; + if (!id) return; const link = window.crypto.getRandomValues(new Uint8Array(10)).reduce((p, i) => p + (i % 36).toString(36), ''); try { const response = await fetch('/seguinleo-notes/assets/php/publicNote.php', { diff --git a/src/assets/php/addNote.php b/src/assets/php/addNote.php index 0ae594a..9214590 100644 --- a/src/assets/php/addNote.php +++ b/src/assets/php/addNote.php @@ -5,7 +5,7 @@ http_response_code(403); return; } -if (isset($_SESSION['name'], $_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) { +if (isset($_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) { http_response_code(403); return; } diff --git a/src/assets/php/createUser.php b/src/assets/php/createUser.php index 4256903..38b1e24 100644 --- a/src/assets/php/createUser.php +++ b/src/assets/php/createUser.php @@ -28,7 +28,7 @@ [ ':nameCreate' => $nameCreate, ':psswdHash' => $psswdCreateHash, - ':OneKey' => htmlspecialchars($key) + ':OneKey' => htmlspecialchars($key, ENT_QUOTES, 'UTF-8'), ] ); } catch (Exception $e) { diff --git a/src/assets/php/deleteAccount.php b/src/assets/php/deleteAccount.php index 43fe0a9..379b2ca 100644 --- a/src/assets/php/deleteAccount.php +++ b/src/assets/php/deleteAccount.php @@ -6,6 +6,10 @@ http_response_code(403); return; } +if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false) { + http_response_code(403); + return; +} require_once __DIR__ . '/config/config.php'; diff --git a/src/assets/php/deleteNote.php b/src/assets/php/deleteNote.php index d71b3ea..d8e0fff 100644 --- a/src/assets/php/deleteNote.php +++ b/src/assets/php/deleteNote.php @@ -2,7 +2,11 @@ session_name('__Secure-notes'); session_start(); -if (isset($_SESSION['name'], $_POST['noteId']) === false) { +if (isset($_SESSION['name'], $_SESSION['userId'], $_POST['noteId']) === false) { + http_response_code(403); + return; +} +if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false || is_numeric($_POST['noteId']) === false) { http_response_code(403); return; } diff --git a/src/assets/php/getKey.php b/src/assets/php/getKey.php index 61f09bd..d88e381 100644 --- a/src/assets/php/getKey.php +++ b/src/assets/php/getKey.php @@ -6,6 +6,10 @@ http_response_code(403); return; } +if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false) { + http_response_code(403); + return; +} require_once __DIR__ . '/config/config.php'; diff --git a/src/assets/php/getSharedNote.php b/src/assets/php/getSharedNote.php index 4a813d2..2990dcb 100644 --- a/src/assets/php/getSharedNote.php +++ b/src/assets/php/getSharedNote.php @@ -3,7 +3,7 @@ http_response_code(403); return; } -if (preg_match('/^[a-z0-9]+$/', $_POST['noteLink']) === false) { +if (is_string($_POST['noteLink']) === false) { http_response_code(403); return; } diff --git a/src/assets/php/privateNote.php b/src/assets/php/privateNote.php index a683f74..464f229 100644 --- a/src/assets/php/privateNote.php +++ b/src/assets/php/privateNote.php @@ -2,11 +2,11 @@ session_name('__Secure-notes'); session_start(); -if (isset($_SESSION['name'], $_POST['noteId'], $_POST['noteLink']) === false) { +if (isset($_SESSION['name'], $_SESSION['userId'], $_POST['noteId'], $_POST['noteLink']) === false) { http_response_code(403); return; } -if (preg_match('/^[a-z0-9]+$/', $_POST['noteLink']) === false) { +if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false || is_string($_POST['noteLink']) === false || is_numeric($_POST['noteId']) === false) { http_response_code(403); return; } @@ -32,9 +32,9 @@ http_response_code(403); return; } - $directoryPath = '../../share/' . htmlspecialchars($noteLink); + $directoryPath = realpath(__DIR__ . '/../../share/') . '/' . $noteLink; if (is_dir($directoryPath)) { - $files = glob($directoryPath . '/*.*'); + $files = glob($directoryPath . '/index.html'); if ($files === false) { http_response_code(403); return; diff --git a/src/assets/php/publicNote.php b/src/assets/php/publicNote.php index a6c29f2..cd24a93 100644 --- a/src/assets/php/publicNote.php +++ b/src/assets/php/publicNote.php @@ -2,11 +2,11 @@ session_name('__Secure-notes'); session_start(); -if (isset($_SESSION['name'], $_POST['noteId'], $_POST['noteLink']) === false) { +if (isset($_SESSION['name'], $_SESSION['userId'], $_POST['noteId'], $_POST['noteLink']) === false) { http_response_code(403); return; } -if (preg_match('/^[a-z0-9]+$/', $_POST['noteLink']) === false) { +if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false || is_string($_POST['noteLink']) === false || is_numeric($_POST['noteId']) === false) { http_response_code(403); return; } @@ -32,7 +32,7 @@ http_response_code(403); return; } - $directoryPath = '../../share/' . htmlspecialchars($noteLink); + $directoryPath = realpath(__DIR__ . '/../../share/') . '/' . $noteLink; if (is_dir($directoryPath) === false) { if (mkdir($directoryPath, 0755, true)) { $index = fopen($directoryPath . '/index.html', 'w'); @@ -51,9 +51,9 @@ - + diff --git a/src/assets/php/updateNote.php b/src/assets/php/updateNote.php index e283e90..6f417fd 100644 --- a/src/assets/php/updateNote.php +++ b/src/assets/php/updateNote.php @@ -5,7 +5,11 @@ http_response_code(403); return; } -if (isset($_SESSION['name'], $_POST['noteId'], $_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) { +if (isset($_POST['noteId'], $_POST['title'], $_POST['content'], $_POST['date'], $_POST['color'], $_POST['hidden']) === false) { + http_response_code(403); + return; +} +if (is_numeric($_POST['noteId']) === false) { http_response_code(403); return; } diff --git a/src/assets/php/updatePsswd.php b/src/assets/php/updatePsswd.php index 913193c..e43302a 100644 --- a/src/assets/php/updatePsswd.php +++ b/src/assets/php/updatePsswd.php @@ -10,6 +10,10 @@ http_response_code(403); return; } +if (is_string($_SESSION['name']) === false || is_int($_SESSION['userId']) === false) { + http_response_code(403); + return; +} require_once __DIR__ . '/config/config.php'; diff --git a/src/de/index.php b/src/de/index.php index 8f14ed1..cf5af8d 100644 --- a/src/de/index.php +++ b/src/de/index.php @@ -9,6 +9,7 @@ ]; session_set_cookie_params($cookieParams); session_start(); +session_regenerate_id(); if (isset($_SESSION['name']) === false) { $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32)); diff --git a/src/en/index.php b/src/en/index.php index b1afc34..359136b 100644 --- a/src/en/index.php +++ b/src/en/index.php @@ -9,6 +9,7 @@ ]; session_set_cookie_params($cookieParams); session_start(); +session_regenerate_id(); if (isset($_SESSION['name']) === false) { $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32)); diff --git a/src/es/index.php b/src/es/index.php index a7e7d72..903868f 100644 --- a/src/es/index.php +++ b/src/es/index.php @@ -9,6 +9,7 @@ ]; session_set_cookie_params($cookieParams); session_start(); +session_regenerate_id(); if (isset($_SESSION['name']) === false) { $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32)); diff --git a/src/index.php b/src/index.php index 539b66f..0818f01 100644 --- a/src/index.php +++ b/src/index.php @@ -9,6 +9,7 @@ ]; session_set_cookie_params($cookieParams); session_start(); +session_regenerate_id(); if (isset($_SESSION['name']) === false) { $_SESSION['csrf_token_connect'] = bin2hex(random_bytes(32)); diff --git a/src/package-lock.json b/src/package-lock.json index 24de210..0f76bec 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -13,7 +13,7 @@ "eslint-config-airbnb-base": "^15.0.0", "eslint-plugin-import": "^2.29.0", "sass": "^1.69.5", - "typescript": "^5.3.0" + "typescript": "^5.3.3" } }, "node_modules/@aashutoshrathi/word-wrap": { diff --git a/src/package.json b/src/package.json index 9fd2aa3..8fba70d 100644 --- a/src/package.json +++ b/src/package.json @@ -13,6 +13,6 @@ "eslint-config-airbnb-base": "^15.0.0", "eslint-plugin-import": "^2.29.0", "sass": "^1.69.5", - "typescript": "^5.3.0" + "typescript": "^5.3.3" } } diff --git a/src/share/stylePublic.css b/src/share/stylePublic.css index edc2a82..a7cc4a5 100644 --- a/src/share/stylePublic.css +++ b/src/share/stylePublic.css @@ -260,16 +260,6 @@ img { margin-left: -2.4rem; } -footer { - font-size: .8rem; - text-align: center; - width: 100%; - -webkit-user-select: none; - user-select: none; - position: fixed; - bottom: 1rem; -} - @media(max-width: 900px) { body { padding: 10px;