/**
* Returns an instance of StringValidationRule constructed with a regex
* pattern for validating Credit Card Numbers obtained from the ESAPI
* SecurityConfiguration.
*
* @return object object of type StringValidationRule.
*/
private function _getCCRule()
{
global $ESAPI;
$config = ESAPI::getSecurityConfiguration();
$pattern = $config->getValidationPattern(self::CREDIT_CARD_VALIDATOR_KEY);
$ccr = new StringValidationRule('CreditCardValidator', $this->encoder, $pattern);
$ccr->setMaximumLength(19);
$ccr->setAllowNull(false);
return $ccr;
}
/**
* Returns the canonicalized, valid input.
* Throws ValidationException if the input is not valid or
* IntrusionException if the input is an obvious attack.
*
* @param string $context A descriptive name of the parameter that you are
* validating (e.g., ProfilePage_Signature). This value
* is used by any logging or error handling that is done
* with respect to the value passed in.
* @param string $input The actual string user input data to validate.
*
* @return string canonicalized, valid input.
* @throws ValidationException, IntrusionException
*/
public function getValid($context, $input)
{
// Parent validator will sanity check.
$canonical = parent::getValid($context, $input);
$clean_email = filter_var($canonical, FILTER_SANITIZE_EMAIL);
if ($clean_email == false) {
throw new ValidationException('Email Address Input is not valid.', 'Error attempting to sanitize Email Address: ' . $input, $context);
}
if (strcmp($canonical, $clean_email) !== 0) {
throw new ValidationException('Email Address Input may not be valid.', 'Resorted to string comparsion of canonicalized and purified ' . 'Email Address input - result was Not Equal', $context);
}
return $clean_email;
}
/**
* Implements corresponding isValidXX logic.
*
* @param string $context Please see corresponding isValidXX description.
* @param string $input Please see corresponding isValidXX description.
* @param string $type Please see corresponding isValidXX description.
* @param int $maxLength Please see corresponding isValidXX description.
* @param bool $allowNull Please see corresponding isValidXX description.
*
* @return does not return a value.
* @throws ValidationException thrown if input is invalid.
* @throws IntrusionException thrown if intrusion is detected.
*/
private function _assertValidInput($context, $input, $type, $maxLength, $allowNull)
{
$validationRule = new StringValidationRule($type, $this->_encoder);
$config = ESAPI::getSecurityConfiguration();
$pattern = $config->getValidationPattern($type);
if ($pattern !== false) {
$validationRule->addWhitelistPattern($pattern);
} else {
$validationRule->addWhitelistPattern($type);
}
$validationRule->setMaximumLength($maxLength);
$validationRule->setAllowNull($allowNull);
$validationRule->assertValid($context, $input);
return null;
}
/**
* Returns the canonicalized, valid input.
* Throws ValidationException if the input is not valid or
* IntrusionException if the input is an obvious attack.
*
* @param string $context A descriptive name of the parameter that you are
* validating (e.g., ProfilePage_Signature). This value
* is used by any logging or error handling that is done
* with respect to the value passed in.
* @param string $input The actual string user input data to validate.
*
* @throws ValidationException, IntrusionException
*
* @return string canonicalized, valid input.
*/
public function getValid($context, $input)
{
// Parent validator will sanity check.
$canonical = parent::getValid($context, $input);
$clean_html = null;
try {
$clean_html = $this->_purifier->purify($canonical);
} catch (Exception $e) {
throw new ValidationException('HTML Input is not valid.', 'Caught ' . gettype($e) . ' attempting to purify HTML: ' . $e->getMessage, $context);
}
// If ErrorCollector was used, it may be able to tell us about errors in
// the html. If not, (poor quality) assumption is that if canonicalized
// input and the output don't match then the input wasn't valid.
$numErrors = 0;
$errors = $this->_purifier->context->get('ErrorCollector');
if ($errors instanceof HTMLPurifier_ErrorCollector) {
$numErrors = sizeof($errors->getRaw(), false);
if ($numErrors > 0) {
throw new ValidationException('HTML Input is not valid.', "{$numErrors} found in HTML - Input is not valid.", $context);
}
} elseif (strcmp($canonical, $clean_html) !== 0) {
throw new ValidationException('HTML Input may not be valid.', 'Resorted to string comparsion of canonicalized and purified ' . 'HTML input - result was Not Equal', $context);
}
return $clean_html;
}
/**
* Helper method to validate input and return the canonicalized, validated value
* if valid.
*
* @param string $context A description of the input to be validated.
* @param string $input The input to validate.
* @param string $pattern The regex pattern against which to validate the
* supplied input.
* @param string $type A descriptive name for the StringValidationRule.
* @param int $maxLength The maximum post-canonicalized length of valid
* inputs.
* @param bool $allowNULL Whether an empty string is considered valid input.
*
* @throws ValidationException
*
* @return string canonicalized, valid inputs only.
*/
private function _getIfValid($context, $input, $pattern, $type, $maxLength, $allowNull)
{
$validationRule = new StringValidationRule($type, $this->_encoder);
if ($pattern != null) {
$validationRule->addWhitelistPattern($pattern);
}
$validationRule->setMaximumLength($maxLength);
$validationRule->setAllowNull($allowNull);
return $validationRule->getValid($context, $input);
}
/**
* Constructor sets-up the validation rule with a descriptive name for this
* validator, an optional Encoder instance (for canonicalization) and an
* optional whitelist regex pattern to validate the input against prior to
* email address purification.
* An instance of the HTMLPurifier class is created and stored too.
*
* @param string $typeName descriptive name for this validator.
* @param object $encoder providing canonicalize method.
* @param string $whitelistPattern whitelist regex.
*
* @return does not return a value.
*/
public function __construct($typeName, $encoder = null, $whitelistPattern = null)
{
global $ESAPI;
parent::__construct($typeName, $encoder);
$this->_auditor = $ESAPI->getAuditor("WordValidationRule");
}
/**
* test sanitize with empty input
*/
function testStringVR_sanitize_empty()
{
$svr = new StringValidationRule('A_String', null, null);
$this->assertEquals('', $svr->sanitize('testStringVR_sanitize_empty', null));
$this->assertEquals('', $svr->sanitize('testStringVR_sanitize_empty', ''));
}
