From 58b341857c056db03999e9a79404ffcffe153ec4 Mon Sep 17 00:00:00 2001
From: Till Brehm <tbrehm@ispconfig.org>
Date: Tue, 8 Oct 2019 18:26:11 +0200
Subject: [PATCH] Implemented #5420 Improve input filters for Tools > Interface
 settings

---
 interface/web/admin/form/users.tform.php             | 12 ++++++++++++
 interface/web/admin/lib/lang/en_users.lng            |  4 ++++
 .../web/tools/form/interface_settings.tform.php      | 12 ++++++++++++
 interface/web/tools/interface_settings.php           |  5 +++--
 interface/web/tools/lib/lang/en_interface.lng        |  4 ++++
 5 files changed, 35 insertions(+), 2 deletions(-)

diff --git a/interface/web/admin/form/users.tform.php b/interface/web/admin/form/users.tform.php
index 6a23559f12..b7f00b4eef 100644
--- a/interface/web/admin/form/users.tform.php
+++ b/interface/web/admin/form/users.tform.php
@@ -199,6 +199,12 @@ $form['tabs']['users'] = array (
 		'startmodule' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'SELECT',
+			'validators' => array (  0 => array (    'type' => 'NOTEMPTY',
+					'errmsg'=> 'startmodule_empty'),
+				1 => array (    'type' => 'REGEX',
+					'regex' => '/^[a-z0-9\_]{0,64}$/',
+					'errmsg'=> 'startmodule_regex'),
+			),
 			'regex'  => '',
 			'errmsg' => '',
 			'default' => '',
@@ -212,6 +218,12 @@ $form['tabs']['users'] = array (
 		'app_theme' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'RADIO',
+			'validators' => array (  0 => array (    'type' => 'NOTEMPTY',
+					'errmsg'=> 'app_theme_empty'),
+				1 => array (    'type' => 'REGEX',
+					'regex' => '/^[a-z0-9\_]{0,64}$/',
+					'errmsg'=> 'app_theme_regex'),
+			),
 			'regex'  => '',
 			'errmsg' => '',
 			'default' => 'default',
diff --git a/interface/web/admin/lib/lang/en_users.lng b/interface/web/admin/lib/lang/en_users.lng
index 81f3742a35..931c73e8eb 100644
--- a/interface/web/admin/lib/lang/en_users.lng
+++ b/interface/web/admin/lib/lang/en_users.lng
@@ -33,4 +33,8 @@ $wb['username_error_collision'] = 'The username may not be web or web plus a num
 $wb['client_not_admin_err'] = 'A user that belongs to a client can not be set to type: admin';
 $wb['lost_password_function_txt'] = 'Forgot password function is available';
 $wb['no_user_insert'] = 'CP-Users of type -user- get added and updated automatically when you add a client or reseller.';
+$wb['startmodule_empty'] = 'Startmodule empty.';
+$wb['startmodule_regex'] = 'Invalid chars in Startmodule.';
+$wb['app_theme_empty'] = 'App theme empty.';
+$wb['app_theme_regex'] = 'Invalid chars in App theme.';
 ?>
diff --git a/interface/web/tools/form/interface_settings.tform.php b/interface/web/tools/form/interface_settings.tform.php
index f213605bf7..9ab49eb0f1 100644
--- a/interface/web/tools/form/interface_settings.tform.php
+++ b/interface/web/tools/form/interface_settings.tform.php
@@ -144,6 +144,12 @@ $form['tabs']['main'] = array (
 		'startmodule' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'SELECT',
+			'validators' => array (  0 => array (    'type' => 'NOTEMPTY',
+					'errmsg'=> 'startmodule_empty'),
+				1 => array (    'type' => 'REGEX',
+					'regex' => '/^[a-z0-9\_]{0,64}$/',
+					'errmsg'=> 'startmodule_regex'),
+			),
 			'regex'  => '',
 			'errmsg' => '',
 			'default' => '',
@@ -157,6 +163,12 @@ $form['tabs']['main'] = array (
 		'app_theme' => array (
 			'datatype' => 'VARCHAR',
 			'formtype' => 'SELECT',
+			'validators' => array (  0 => array (    'type' => 'NOTEMPTY',
+					'errmsg'=> 'app_theme_empty'),
+				1 => array (    'type' => 'REGEX',
+					'regex' => '/^[a-z0-9\_]{0,64}$/',
+					'errmsg'=> 'app_theme_regex'),
+			),
 			'regex' => '',
 			'errmsg' => '',
 			'default' => 'default',
diff --git a/interface/web/tools/interface_settings.php b/interface/web/tools/interface_settings.php
index d7a1333b59..b14b637375 100644
--- a/interface/web/tools/interface_settings.php
+++ b/interface/web/tools/interface_settings.php
@@ -81,7 +81,6 @@ class page_action extends tform_actions {
 		if(!in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
 			$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
 		}
-		$this->updateSessionTheme();
 	}
 
 	function onInsert() {
@@ -96,7 +95,6 @@ class page_action extends tform_actions {
 		if(@is_array($this->dataRecord['modules']) && !in_array($this->dataRecord['startmodule'], $this->dataRecord['modules'])) {
 			$app->tform->errorMessage .= $app->tform->wordbook['startmodule_err'];
 		}
-		$this->updateSessionTheme();
 	}
 
 	function updateSessionTheme() {
@@ -120,6 +118,9 @@ class page_action extends tform_actions {
 	}
 
 	function onAfterUpdate() {
+		
+		$this->updateSessionTheme();
+		
 		if($this->_theme_changed == true) {
 			// not the best way, but it works
 			header('Content-Type: text/html');
diff --git a/interface/web/tools/lib/lang/en_interface.lng b/interface/web/tools/lib/lang/en_interface.lng
index b15c7334b2..7cb0e2d8bc 100644
--- a/interface/web/tools/lib/lang/en_interface.lng
+++ b/interface/web/tools/lib/lang/en_interface.lng
@@ -4,4 +4,8 @@ $wb["interface_desc_txt"] = 'Modify your interface';
 $wb["language_txt"] = 'Language';
 $wb["startmodule_txt"] = 'Startmodule';
 $wb["app_theme_txt"] = 'Design';
+$wb['startmodule_empty'] = 'Startmodule empty.';
+$wb['startmodule_regex'] = 'Invalid chars in Startmodule.';
+$wb['app_theme_empty'] = 'App theme empty.';
+$wb['app_theme_regex'] = 'Invalid chars in App theme.';
 ?>
\ No newline at end of file
-- 
GitLab