0
I have a social network and want to put php filters to prevent q lines of code being posted by changing the site. The code that redeems the text when the user presses the publish button is:
$(document).on('click', '#postar_bt', function (){
var id = '<?=$_SESSION[id]?>';
var texto = $('.textarea_publicacao:visible').val();
var img = $('#post_img_nome').html();
var preview = $('#postar_url_link').attr('href');
var priv = $('#postar-privacidade option:selected').val();
var anonimo = $('#postar-anonimo').is(":checked")? 1 : 0;
$('.profile-box1').css('height', '50px');
if (texto == '' && img == '') {
alert('Você deve digitar um texto ou enviar uma imagem para postar.');
height_setas_background = $('.profile-box1').height();
$('.profile-box3').css("bottom", height_setas_background+"px");
$('.profile-box5').css("bottom", height_setas_background+"px");
$('#overlay').fadeOut(300);
} else {
$('.verificaGif').hide();
$('.verificaFotoVideo').hide();
$('.profile-box1').css("height", "0px");
$('.profile-box3').css("bottom", "0px");
$('.profile-box5').css("bottom", "0px");
$(this).attr('disabled', true);
$('#postar_load').show();
$.post('functions/postar.php', {id:id, texto:texto, img:img, preview:preview, privacidade:priv, anonimo:anonimo}, function(resposta) {//console.log(resposta)
//alert('Postado!');
});
location.reload();
}
});
I tried to make the change that way:
$(document).on('click', '#postar_bt', function (){
var id = '<?=$_SESSION[id]?>';
var textoBeforeFilter = $('.textarea_publicacao:visible').val();
<?php
$varTextoBeforeFilter = "<script>document.write(textoBeforeFilter)</script>";
$varTexto = filter_var($varTextoBeforeFilter, FILTER_SANITIZE_STRIPPED);
?>
var texto = '<?=$GLOBALS['varTexto']?>';
var img = $('#post_img_nome').html();
var preview = $('#postar_url_link').attr('href');
var priv = $('#postar-privacidade option:selected').val();
var anonimo = $('#postar-anonimo').is(":checked")? 1 : 0;
$('.profile-box1').css('height', '50px');
if (texto == '' && img == '') {
alert('Você deve digitar um texto ou enviar uma imagem para postar.');
height_setas_background = $('.profile-box1').height();
$('.profile-box3').css("bottom", height_setas_background+"px");
$('.profile-box5').css("bottom", height_setas_background+"px");
$('#overlay').fadeOut(300);
} else {
$('.verificaGif').hide();
$('.verificaFotoVideo').hide();
$('.profile-box1').css("height", "0px");
$('.profile-box3').css("bottom", "0px");
$('.profile-box5').css("bottom", "0px");
$(this).attr('disabled', true);
$('#postar_load').show();
$.post('functions/postar.php', {id:id, texto:texto, img:img, preview:preview, privacidade:priv, anonimo:anonimo}, function(resposta) {//console.log(resposta)
//alert('Postado!');
});
location.reload();
}
});
the focus area is only at the top of the code, this way of rescuing the variable and filtering made it was printed the literal text within the script, ie: document.write(textoBeforeFilter)
I have two observations: 1- Never handle the client request on the client itself, validate it after received on the server before working them. The customer can always override its validation mechanism. 2 - The server code usually does not manipulate the client context in real time. The after the server sent the request(HTML) the server process ceases activities and is in listener mode waiting for other requests, then the client downloads the response from the server and starts its processing flow independent of the.
– Augusto Vasques