From 6ddd8ba0b27bb3635ada951a1fc4ced77c609573 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20M=C3=BCller?= <p.mueller@pcsg.de>
Date: Thu, 20 Sep 2018 18:06:37 +0200
Subject: [PATCH] feat: sanitizeCode
---
ajax/frontend/redeem.php | 1 +
src/QUI/ERP/Coupons/Handler.php | 15 +++++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/ajax/frontend/redeem.php b/ajax/frontend/redeem.php
index b78d2ea..6ad85bd 100644
--- a/ajax/frontend/redeem.php
+++ b/ajax/frontend/redeem.php
@@ -16,6 +16,7 @@
'package_quiqqer_coupons_ajax_frontend_redeem',
function ($code, $orderHash) {
try {
+ $code = Handler::sanitizeCode($code);
$CouponCode = Handler::getCouponCodeByCode($code);
$CouponCode->checkRedemption(QUI::getUserBySession());
} catch (QUI\ERP\Coupons\CouponCodeException $Exception) {
diff --git a/src/QUI/ERP/Coupons/Handler.php b/src/QUI/ERP/Coupons/Handler.php
index c437abd..122cfa1 100644
--- a/src/QUI/ERP/Coupons/Handler.php
+++ b/src/QUI/ERP/Coupons/Handler.php
@@ -130,7 +130,7 @@ public static function createCouponCode($discountIds, $settings = [])
]);
}
- $code = $settings['code'];
+ $code = self::sanitizeCode($settings['code']);
} else {
$code = CodeGenerator::generate();
}
@@ -221,7 +221,7 @@ public static function editCouponCode($id, $discountIds, $settings = [])
]);
}
- $code = $settings['code'];
+ $code = self::sanitizeCode($settings['code']);
} else {
$code = CodeGenerator::generate();
}
@@ -492,6 +492,17 @@ public static function deleteRedeemedCouponCodes($days = null)
);
}
+ /**
+ * Sanitize coupon code and allow only certain characters
+ *
+ * @param string $code
+ * @return string
+ */
+ public static function sanitizeCode($code)
+ {
+ return preg_replace('#[^A-Za-z0-9\.\-_\*&$% ]#i', '', $code);
+ }
+
/**
* Get CouponCode table
*
--
GitLab