0

消息系统使用相同的功能来发送和回复消息。一位用户向另一位用户发送消息,主题为:“just testing £69 $100 @ ha”。并且消息包含文本、php 和 html。PHP 被 CI xss_clean 剥离,html 被系统阻止/替换。它被发送而没有错误。其他用户收到它,打开它并尝试用 47 个字符的纯文本进行回复。CI 表单验证类阻止它并显示错误:主题必须小于 1000 个字符。第一个也是最重要的问题是它不应该触发验证错误。其次 CI 形式 val。已将主题设置为最大值。30 个字符,并且消息设置为最大 1000 个字符 - 所以错误消息也是不正确的。我的预感是该主题中的一个角色是令人不安的 CI 形式 val。但是当原始消息发送时它并没有打扰它!

这是表单中的相关代码;

<form name="sendmessage" method="POST" action="<? echo base_url(); ?>user/messaging/sendmessage/">
        <input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" />
        <input type="hidden" name="recipiant" value="<? echo $message['mem_msg_from_id']; ?>" />
        <input type="hidden" name="thread" value="<? echo $message['mem_msg_thread_id']; ?>" />
        <? if(substr($message['mem_msg_subject'],3) == 'Re:'){$subject = $message['mem_msg_subject'];}else{$subject = 'Re: ' . $message['mem_msg_subject'];} ?>
        <input type="hidden" name="subject" value="<? echo ucfirst($subject); ?>">

这是控制器代码;

 public function sendmessage(){
    if($this->input->is_ajax_request()){ // ajax request only
        $subject = $this->input->post('subject',TRUE);
        $message = $this->input->post('message',TRUE);
        $recipiant = $this->input->post('recipiant',TRUE);
        $thread_id = $this->input->post('thread',TRUE);

        $subject_val = $this->form_validation->set_rules('subject', 'Subject', 'required|min_length[3]|max_length[30]');
        $subject_req_error = $this->form_validation->set_message('required', 'A %s is required!');
        $subject_min_error = $this->form_validation->set_message('min_length', '%s must be at least 3 characters!');
        $subject_max_error = $this->form_validation->set_message('max_length', '%s must be under 30 characters!');

        $message_val = $this->form_validation->set_rules('message', 'Message', 'required|min_length[5]|max_length[1000]');
        $message_req_error = $this->form_validation->set_message('required', 'A %s is required!');
        $message_min_error = $this->form_validation->set_message('min_length', '%s must be at least 5 characters!');
        $message_max_error = $this->form_validation->set_message('max_length', '%s must be under 1000 characters!');

        $this->form_validation->set_error_delimiters('<div class="pull-left">','&nbsp;</div><br>');


        if ($this->form_validation->run() == FALSE){ // FAILED TRY AGAIN
            echo '<div style="font-weight: bold; color: red;">' . form_error('subject') . form_error('message') . '</div>';
        }else{ // ALL SEEMS TO BE IN ORDER HERE

            // clean it up a bit
            $subject = str_replace('<', '', $subject);
            $subject = str_replace('>', '' , $subject);
            $subject = auto_link($subject, 'both', TRUE);

            $message = str_replace('<', '', $message);
            $message = str_replace('>', '' , $message);
            $message = auto_link($message, 'both', TRUE);

            // stick it in the database
            $db = $this->user_messaging_model->sendMessage($this->userinfo['user_id'], $recipiant, $subject, $message, $thread_id);

            echo 'sent';
        }
     }

}
4

1 回答 1

0

您正在覆盖分配给规则的消息。

请注意,这符合$this->form_validation->set_message规则。不是,每个字段每个规则。因此,当您$this->form_validation->set_message('max_length'...第二次设置时,它会覆盖分配给“max_length”要求的初始消息。

一般来说,您不需要为这些设置消息,codeigniter 本身会根据您的要求生成一个体面的错误消息。

在我的工作流程中,我通常使用set_message函数为我们在表单字段上执行的自定义回调验证生成消息。

于 2013-03-06T03:12:13.933 回答