function checkFields($aData, $zData = false) { // Checks fields before submission of data. parent::checkFields($aData); // XSS attack prevention. Deny input of HTML. lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Mandatory fields. $this->aCheckMandatory = array('owned_by', 'statusid'); parent::checkFields($aData); lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. // Mandatory fields. $this->aCheckMandatory = array('owned_by'); parent::checkFields($aData); if (!empty($aData['genes']) && is_array($aData['genes'])) { if (count($aData['genes']) > 15) { lovd_errorAdd('genes', 'Please select no more than 15 genes. For genome-wide analysis, <B>no</B> genes should be selected.'); } } lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_SETT; $this->aCheckMandatory = array('system_title', 'email_address', 'refseq_build'); parent::checkFields($aData); // Database URL is mandatory, if the option "Include in the global LOVD listing" is selected. if (!empty($aData['include_in_listing']) && empty($aData['location_url'])) { lovd_errorAdd('location_url', 'Please fill in an URL in the \'Database URL\' field, if you want this LOVD installation to be included in the global LOVD listing; otherwise disable the \'Include in the global LOVD listing\' setting below.'); } // Database URL should be an URL. if (!empty($aData['location_url']) && !lovd_matchURL($aData['location_url'])) { lovd_errorAdd('location_url', 'Please fill in a correct URL in the \'Database URL\' field.'); } // Email address. if (!empty($aData['email_address']) && !lovd_matchEmail($aData['email_address'])) { lovd_errorAdd('email_address', 'Please fill in a correct email address.'); } // Refseq build should match the available builds. if (!empty($aData['refseq_build']) && !array_key_exists($aData['refseq_build'], $_SETT['human_builds'])) { lovd_errorAdd('refseq_build', 'Please select one of the available Human Builds.'); } // Proxy server checks (valid hostname, valid port number, try connecting. if (!empty($aData['proxy_host'])) { // Pattern taken from lovd_matchURL(). if (!preg_match('/^([0-9]{1,3}(\\.[0-9]{1,3}){3}|(([0-9a-z][-0-9a-z]*[0-9a-z]|[0-9a-z])\\.?)+[a-z]{2,6})$/i', $aData['proxy_host'])) { lovd_errorAdd('proxy_host', 'Please fill in a correct host name of the proxy server, if you wish to use one.'); } elseif (empty($aData['proxy_port'])) { lovd_errorAdd('proxy_port', 'Please fill in a correct, numeric, port number of the proxy server, if you wish to use a proxy server.'); } else { // Alright, let's try and connect. // First: normal connect, direct, no outside connection requested. $f = @fsockopen($aData['proxy_host'], $aData['proxy_port'], $nError, $sError, 5); if ($f === false) { lovd_errorAdd('proxy_host', 'Could not connect to given proxy server. Please check if the fields are correctly filled in.'); lovd_errorAdd('proxy_port', ''); } else { $sRequest = 'GET ' . $_SETT['check_location_URL'] . ' HTTP/1.0' . "\r\n" . 'User-Agent: LOVDv.' . $_SETT['system']['version'] . " Proxy Check\r\n" . (empty($_POST['proxy_username']) || empty($_POST['proxy_password']) ? '' : 'Proxy-Authorization: Basic ' . base64_encode($_POST['proxy_username'] . ':' . $_POST['proxy_password']) . "\r\n") . 'Connection: Close' . "\r\n\r\n"; fputs($f, $sRequest); $s = rtrim(fgets($f)); if (!preg_match('/^HTTP\\/1\\.. [23]/', $s, $aRegs)) { // Allowing HTTP 2XX and 3XX. if (preg_match('/^HTTP\\/1\\.. 407/', $s, $aRegs)) { // Proxy needs username and password. if (!empty($_POST['proxy_username']) && !empty($_POST['proxy_password'])) { lovd_errorAdd('proxy_username', 'Invalid username/password combination for this proxy server. Please try again.'); lovd_errorAdd('proxy_password', ''); } else { lovd_errorAdd('proxy_username', 'This proxy server requires a valid username and password. Please make sure you provide them both.'); lovd_errorAdd('proxy_password', ''); } } else { lovd_errorAdd('proxy_host', 'Unexpected answer from proxy when trying to connect upstream: ' . $s); } } } } } elseif (!empty($aData['proxy_port'])) { // We have a port number, but no host name. lovd_errorAdd('proxy_host', 'Please also fill in a correct host name of the proxy server, if you wish to use one.'); } // Custom logo must exist. if (!empty($aData['logo_uri'])) { // Determine if file can be read and is an image or not. if (!is_readable(ROOT_PATH . $aData['logo_uri'])) { lovd_errorAdd('logo_uri', 'Cannot read the custom logo file. Please make sure the path is correct and that the file can be read.'); } else { $a = @getimagesize(ROOT_PATH . $aData['logo_uri']); if (!is_array($a)) { lovd_errorAdd('logo_uri', 'The custom logo file that you selected does not seem to be a picture.'); } } } else { // FIXME; this is probably not the best way of doing this... $_POST['logo_uri'] = 'gfx/LOVD3_logo145x50.jpg'; } // FIXME; Like above, not the best solution, but gets the job done for now. if (empty($aData['mutalyzer_soap_url'])) { $_POST['mutalyzer_soap_url'] = 'https://mutalyzer.nl/services'; } // SSL check. if (!empty($aData['use_ssl']) && !SSL) { lovd_errorAdd('use_ssl', 'You\'ve selected to force the use of SSL, but SSL is not currently activated for this session. To force SSL, I must be sure it\'s possible to approach LOVD through an SSL connection (use <A href="https://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . ($_SERVER['QUERY_STRING'] ? '?' . str_replace('&sent=true', '', $_SERVER['QUERY_STRING']) : '') . '" target="_blank">https://</A> instead of http://).'); } $_POST['api_feed_history'] = 0; $_POST['allow_count_hidden_entries'] = 0; $_POST['use_versioning'] = 0; // XSS attack prevention. Deny input of HTML. lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_DB; // Mandatory fields. $this->aCheckMandatory = array('category', 'colid', 'head_column', 'description_legend_short', 'description_legend_full', 'mysql_type', 'form_type', 'width'); if (ACTION == 'edit') { unset($this->aCheckMandatory['colid']); } elseif (!empty($aData['active_links']) && !preg_match('/^TEXT|VARCHAR/', $aData['mysql_type'])) { lovd_errorAdd('active_links', 'Only VARCHAR or TEXT columns can have custom links activated for it!'); } parent::checkFields($aData); // Category; not chosen on this form, but we want to make sure it's correct anyways. if (!empty($aData['category']) && !in_array($aData['category'], array('Individual', 'Phenotype', 'Screening', 'VariantOnGenome', 'VariantOnTranscript'))) { lovd_errorAdd('category', 'The category is not correct. Please choose one of the following: Individual, Phenotype, Screening, VariantOnGenome or VariantOnTranscript.'); } // ColID format. if (!empty($aData['colid']) && !preg_match('/^[A-Za-z0-9_]+(\\/[A-Za-z0-9_]+)*$/', $aData['colid'])) { lovd_errorAdd('colid', 'The column ID is not of the correct format. It can contain only letters, numbers and underscores. Subcategories must be divided by a slash (/).'); } // During an import ColID that exist in the database do not give a hard error. Error is handled in import.php if (lovd_getProjectFile() != '/import.php') { // ColID must not exist in the database. if (!empty($aData['category']) && !empty($aData['colid'])) { if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_COLS . ' WHERE id = ?', array($aData['category'] . '/' . $aData['colid']))->fetchColumn()) { lovd_errorAdd('colid', 'There is already a ' . $aData['category'] . ' column with this column ID. Please verify that you\'re not trying to create a column that already exists!'); } } } // Width can not be less than 20 or more than 500. // These numbers are also defined in object_shared_columns.php and inc-js-columns.php. if (isset($aData['width']) && strlen($aData['width']) > 0) { if ($aData['width'] > 500) { lovd_errorAdd('width', 'The width can not be more than 500 pixels!'); } elseif ($aData['width'] < 20) { lovd_errorAdd('width', 'The width can not be less than 20 pixels!'); } } // MySQL type format. if ($aData['mysql_type'] && !preg_match('/^(TEXT|VARCHAR\\([0-9]{1,3}\\)|DATE(TIME)?|((TINY|SMALL|MEDIUM|BIG)?INT\\([0-9]{1,2}\\)|DECIMAL\\([0-9]{1,2}\\,[0-9]{1,2}\\)|FLOAT)( UNSIGNED)?)( DEFAULT ([0-9]+|"[^"]+"))?$/i', $aData['mysql_type'])) { lovd_errorAdd('mysql_type', 'The MySQL data type is not recognized. Please use the data type wizard to generate a proper MySQL data type.'); } // Form type. if ($aData['form_type'] && !preg_match('/^[^|]+\\|[^|]*\\|(checkbox|text\\|[0-9]+|textarea\\|[0-9]+\\|[0-9]+|select\\|[0-9]+\\|[^|]*\\|(false|true)\\|(false|true))$/i', $aData['form_type'])) { lovd_errorAdd('form_type', 'The form type is not recognized. Please use the data type wizard to generate a proper form type.'); } // XSS attack prevention. Deny input of HTML. // Ignore some fields that are allowed to contain HTML, or that might cause false positives. unset($aData['description_form'], $aData['preg_pattern'], $aData['description_legend_short'], $aData['description_legend_full']); lovd_checkXSS($aData); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. // Mandatory fields. $this->aCheckMandatory = array('description_legend_short', 'description_legend_full', 'width'); parent::checkFields($aData); // Width can not be less than 20 or more than 500. // These numbers are also defined in object_columns.php and inc-js-columns.php. if (isset($aData['width']) && strlen($aData['width']) > 0) { if ($aData['width'] > 500) { lovd_errorAdd('width', 'The width can not be more than 500 pixels!'); } elseif ($aData['width'] < 20) { lovd_errorAdd('width', 'The width can not be less than 20 pixels!'); } } // XSS attack prevention. Deny input of HTML. // Ignore some fields that are allowed to contain HTML, or that might cause false positives. unset($aData['description_form'], $aData['description_legend_short'], $aData['description_legend_full']); lovd_checkXSS($aData); }
function checkFields($aData, $zData = false) { global $_AUTH, $_CONF, $_SETT; // Mandatory fields. $this->aCheckMandatory = array('chromosome', 'effect_reported', 'owned_by', 'statusid'); if ($_AUTH['level'] >= LEVEL_CURATOR) { $this->aCheckMandatory[] = 'effect_concluded'; } elseif (isset($aData['effect_reported']) && $aData['effect_reported'] === '0') { // Submitters must fill in the variant effect field; '0' is not allowed for them. unset($aData['effect_reported']); } // Do this before running checkFields so that we have time to predict the DBID and fill it in. if (!empty($aData['VariantOnGenome/DNA']) && isset($this->aColumns['VariantOnGenome/DBID']) && ($this->aColumns['VariantOnGenome/DBID']['public_add'] || $_AUTH['level'] >= LEVEL_CURATOR)) { // VOGs with at least one VOT, which still have a chr* DBID, will get an error. So we'll empty the DBID field, allowing the new VOT value to be autofilled in. if (!empty($aData['aTranscripts']) && !empty($aData['VariantOnGenome/DBID']) && strpos($aData['VariantOnGenome/DBID'], 'chr' . $aData['chromosome'] . '_') !== false) { $aData['VariantOnGenome/DBID'] = ''; } if (empty($aData['VariantOnGenome/DBID'])) { if (lovd_getProjectFile() != '/import.php') { // Only predict an DBID, if we're actually going to use it (which doesn't happen when we're importing). $aData['VariantOnGenome/DBID'] = $_POST['VariantOnGenome/DBID'] = lovd_fetchDBID($aData); } } elseif (!lovd_checkDBID($aData)) { lovd_errorAdd('VariantOnGenome/DBID', 'Please enter a valid ID in the ' . (lovd_getProjectFile() == '/import.php' ? 'VariantOnGenome/DBID' : '\'ID\'') . ' field or leave it blank and LOVD will predict it. Incorrect ID: "' . htmlspecialchars($aData['VariantOnGenome/DBID']) . '".'); } } parent::checkFields($aData); // Checks fields before submission of data. if (isset($aData['effect_reported']) && !isset($_SETT['var_effect'][$aData['effect_reported']])) { lovd_errorAdd('effect_reported', 'Please select a proper functional effect from the \'Affects function (reported)\' selection box.'); } if (isset($aData['effect_concluded']) && !isset($_SETT['var_effect'][$aData['effect_concluded']])) { lovd_errorAdd('effect_concluded', 'Please select a proper functional effect from the \'Affects function (concluded)\' selection box.'); } if (!empty($aData['chromosome']) && !isset($_SETT['human_builds'][$_CONF['refseq_build']]['ncbi_sequences'][$aData['chromosome']])) { lovd_errorAdd('chromosome', 'Please select a proper chromosome from the \'Chromosome\' selection box.'); } lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_AUTH, $_DB, $_PE, $_SETT; // Mandatory fields. $this->aCheckMandatory = array('name', 'institute', 'address', 'city', 'countryid', 'email', 'username'); // These password fields are only not mandatory when we're editing. if (ACTION != 'edit') { $this->aCheckMandatory[] = 'password_1'; $this->aCheckMandatory[] = 'password_2'; } parent::checkFields($aData); // Email address. if (!empty($aData['email'])) { $aEmail = explode("\r\n", $aData['email']); foreach ($aEmail as $sEmail) { if (!lovd_matchEmail($sEmail)) { lovd_errorAdd('email', 'Email "' . htmlspecialchars($sEmail) . '" is not a correct email address' . ($sEmail && $sEmail == trim($sEmail) ? '' : '. Make sure there are no spaces or empty lines left in the email field') . '.'); } } } if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'create') { // Check username format. if ($aData['username'] && !lovd_matchUsername($aData['username'])) { lovd_errorAdd('username', 'Please fill in a correct username; 4 to 20 characters and starting with a letter followed by letters, numbers, dots, underscores and dashes only.'); } } if (in_array(ACTION, array('create', 'register'))) { // Does the username exist already? if ($aData['username']) { if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_USERS . ' WHERE username = ?', array($aData['username']))->fetchColumn()) { lovd_errorAdd('username', 'There is already a user with this username. Please choose another one.'); } } } // One of two password fields entered... check 'em. if ($aData['password_1'] || $aData['password_2']) { if ($aData['password_1'] && $aData['password_2']) { // Both entered. if ($aData['password_1'] != $aData['password_2']) { lovd_errorAdd('password_2', 'The \'' . (in_array(ACTION, array('edit', 'change_password')) ? 'New p' : 'P') . 'assword\' fields are not equal. Please try again.'); } else { // Password quality. if (!lovd_matchPassword($aData['password_1'])) { lovd_errorAdd('password_1', 'Your password is found too weak. Please fill in a proper password; at least 4 characters long and containing at least one number or special character.'); } } } else { if (in_array(ACTION, array('edit', 'change_password'))) { lovd_errorAdd('password_2', 'If you want to change the current password, please fill in both \'New password\' fields.'); } else { lovd_errorAdd('password_2', 'Please fill in both \'Password\' fields.'); } } } // Check given security IP range. if (!empty($aData['allowed_ip'])) { // This function will throw an error itself (second argument). $bIP = lovd_matchIPRange($aData['allowed_ip'], 'allowed_ip'); if (lovd_getProjectFile() == '/install/index.php' || ACTION == 'edit' && $_PE[1] == $_AUTH['id']) { // Check given security IP range. if ($bIP && !lovd_validateIP($aData['allowed_ip'], $_SERVER['REMOTE_ADDR'])) { // This IP range is not allowing the current IP to connect. This ain't right. // If IP address is actually IPv6, then complain that we can't restrict at all. // Otherwise, be clear the current setting just doesn't match. if (strpos($_SERVER['REMOTE_ADDR'], ':') !== false) { // IPv6... lovd_errorAdd('allowed_ip', 'Your current IP address is IPv6 (' . $_SERVER['REMOTE_ADDR'] . '), which is not supported by LOVD to restrict access to your account.'); } else { lovd_errorAdd('allowed_ip', 'Your current IP address is not matched by the given IP range. This would mean you would not be able to get access to LOVD with this IP range.'); } } } } else { // We're not sure if $aData == $_POST. But we'll just do this. It can't harm I guess. $_POST['allowed_ip'] = '*'; } // Level can't be higher or equal than the current user. if (!empty($aData['level']) && $aData['level'] >= $_AUTH['level']) { lovd_writeLog('Error', 'HackAttempt', 'Tried to upgrade user ID ' . $_PE[1] . ' to level ' . $_SETT['user_levels'][$aData['level']] . ')'); lovd_errorAdd('level', 'User level is not permitted. Hack attempt.'); } // XSS attack prevention. Deny input of HTML. lovd_checkXSS(); }
function checkFields($aData, $zData = false) { global $_DB; // During import panelid, fatherid and motherid are checked in import.php. $bImport = lovd_getProjectFile() == '/import.php'; // Mandatory fields. $this->aCheckMandatory = array('panel_size', 'owned_by', 'statusid'); // Checks fields before submission of data. parent::checkFields($aData); foreach (array('fatherid', 'motherid') as $sParentalField) { // This is not yet implemented correctly. These checks are implemented correctly in import.php in section "Individuals". if (isset($aData[$sParentalField]) && ctype_digit($aData[$sParentalField]) && !$bImport) { // FIXME: Also check gender!!! Check if field is available, download value (or '' if not available), then check possible conflicts. // Partially, the code is already written below. $nParentID = $_DB->query('SELECT id FROM ' . TABLE_INDIVIDUALS . ' WHERE id = ?', array($aData[$sParentalField]))->fetchColumn(); if (empty($nParentID)) { // FIXME: Once we have this on the form, replace with form description. lovd_errorAdd($sParentalField, 'No individual found with this \'' . $sParentalField . '\'.'); } elseif ($sParentalField == 'fatherid' && false) { lovd_errorAdd($sParentalField, 'The \'' . $sParentalField . '\' you entered does not refer to a male individual.'); } elseif ($sParentalField == 'motherid' && false) { lovd_errorAdd($sParentalField, 'The \'' . $sParentalField . '\' you entered does not refer to a female individual.'); } elseif ($aData[$sParentalField] == $this->nID) { lovd_errorAdd($sParentalField, 'The \'' . $sParentalField . '\' can not link to itself; this field is used to indicate which individual in the database is the parent of the given individual.'); } } } // Changes in these checks should also be implemented in import.php in section "Individuals" if (isset($aData['panelid']) && ctype_digit($aData['panelid']) && !$bImport) { $nPanel = $_DB->query('SELECT panel_size FROM ' . TABLE_INDIVIDUALS . ' WHERE id = ?', array($aData['panelid']))->fetchColumn(); if (empty($nPanel)) { lovd_errorAdd('panelid', 'No Panel found with this \'Panel ID\'.'); } elseif ($nPanel == 1) { lovd_errorAdd('panelid', 'The \'Panel ID\' you entered refers to an individual, not a panel (group of individuals). If you want to configure that individual as a panel, set its \'Panel size\' field to a value higher than 1.'); } elseif ($nPanel <= $aData['panel_size']) { lovd_errorAdd('panel_size', 'The entered \'Panel size\' must be lower than the \'Panel size\' of the panel you refer to with the entered \'Panel ID\'.'); } elseif ($aData['panelid'] == $this->nID) { lovd_errorAdd('panel_size', 'The \'Panel ID\' can not link to itself; this field is used to indicate which group of individuals (\'panel\') this entry belongs to.'); } } $aDiseases = array_keys($this->aFormData['aDiseases'][5]); if (!empty($aData['active_diseases'])) { if (count($aData['active_diseases']) > 1 && in_array('00000', $aData['active_diseases'])) { lovd_errorAdd('active_diseases', 'You cannot select both "Healthy/Control" and a disease for the same individual entry.'); } else { foreach ($aData['active_diseases'] as $nDisease) { if ($nDisease && !in_array($nDisease, $aDiseases)) { lovd_errorAdd('active_diseases', htmlspecialchars($nDisease) . ' is not a valid disease.'); } } } } lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_AUTH, $_DB; $bImport = lovd_getProjectFile() == '/import.php'; $bCreate = ACTION && ACTION == 'create' || $bImport && !$zData; // Mandatory fields. $this->aCheckMandatory = array('symbol', 'name'); $aData = parent::checkFields($aData); if (!empty($aData['id_omim']) && !preg_match('/^[1-9]\\d{5}$/', $aData['id_omim'])) { lovd_errorAdd('id_omim', 'The OMIM ID has to be six digits long and cannot start with a \'0\'.'); } // Two diseases with the same OMIM ID are not allowed. if (!empty($aData['id_omim']) && ($bCreate || $aData['id_omim'] != $zData['id_omim'])) { $bExists = $_DB->query('SELECT id FROM ' . TABLE_DISEASES . ' WHERE id_omim = ?', array($aData['id_omim']))->fetchColumn(); if ($bExists) { // IMPORTANT: when you change this message, also change the array_search argument in import.php in the Disease section. lovd_errorAdd('id_omim', 'Another disease already exists with this OMIM ID!'); } } // We don't like two diseases with the exact same name, either. if (!empty($aData['name']) && ($bCreate || $aData['name'] != $zData['name'])) { $bExists = $_DB->query('SELECT id FROM ' . TABLE_DISEASES . ' WHERE name = ?', array($aData['name']))->fetchColumn(); if ($bExists && ($bCreate || $zData['id'] != $bExists)) { // IMPORTANT: when you change this message, also change the array_search argument in import.php in the Disease section. lovd_errorAdd('name', 'Another disease already exists with the same name!'); } } if (!$bImport && $_AUTH['level'] < LEVEL_MANAGER && empty($aData['genes'])) { lovd_errorAdd('genes', 'You should at least select one of the genes you are curator of.'); } $_POST['genes'] = array(); if (is_array($aData['genes'])) { foreach ($aData['genes'] as $sGene) { if (!lovd_isAuthorized('gene', $sGene, false) && $bCreate) { lovd_errorAdd('genes', 'You are not authorized to add this disease to gene ' . htmlspecialchars($sGene) . '.'); } else { $_POST['genes'][] = $sGene; } } } if (!$bCreate) { if (is_array($aData['genes']) && isset($zData['genes']) && is_array($zData['genes'])) { foreach ($zData['genes'] as $sGene) { if ($sGene && !in_array($sGene, $aData['genes']) && !lovd_isAuthorized('gene', $sGene, false)) { lovd_errorAdd('genes', 'You are not authorized to remove this disease from gene ' . htmlspecialchars($sGene) . '.'); $_POST['genes'][] = $sGene; } } } } // XSS attack prevention. Deny input of HTML. lovd_checkXSS(); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. global $_DB; // No mandatory fields, since all the gene data is in $_SESSION. if (isset($aData['workID'])) { unset($aData['workID']); } parent::checkFields($aData); if (ACTION == 'create') { if ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_GENES . ' WHERE id = ?', array($zData['id']))->fetchColumn()) { lovd_errorAdd('', 'Unable to add gene. This gene symbol already exists in the database!'); } elseif ($_DB->query('SELECT COUNT(*) FROM ' . TABLE_GENES . ' WHERE id_hgnc = ?', array($zData['id_hgnc']))->fetchColumn()) { lovd_errorAdd('', 'Unable to add gene. A gene with this HGNC ID already exists in the database!'); } } if (lovd_getProjectFile() != '/import.php' && !in_array($aData['refseq_genomic'], $zData['genomic_references'])) { lovd_errorAdd('refseq_genomic', 'Please select a proper NG, NC, or LRG accession number in the \'NCBI accession number for the genomic reference sequence\' selection box.'); } if (!empty($aData['refseq']) && empty($aData['refseq_url'])) { lovd_errorAdd('refseq', 'You have selected that there is a human-readable reference sequence. Please fill in the "Human-readable reference sequence location" field. Otherwise, select \'No\' for the "This gene has a human-readable reference sequence" field.'); } if ($aData['disclaimer'] == 2 && empty($aData['disclaimer_text'])) { lovd_errorAdd('disclaimer_text', 'If you wish to use an own disclaimer, please fill in the "Text for own disclaimer" field. Otherwise, select \'No\' for the "Include disclaimer" field.'); } // Numeric values $aCheck = array('header_align' => 'Header aligned to', 'footer_align' => 'Footer aligned to'); foreach ($aCheck as $key => $val) { if ($aData[$key] && !is_numeric($aData[$key])) { lovd_errorAdd($key, 'The \'' . $val . '\' field has to contain a numeric value.'); } } // URL values if ($aData['url_homepage'] && !lovd_matchURL($aData['url_homepage'])) { lovd_errorAdd('url_homepage', 'The \'Homepage URL\' field does not seem to contain a correct URL.'); } if ($aData['refseq_url'] && !lovd_matchURL($aData['refseq_url'], true)) { lovd_errorAdd('refseq_url', 'The \'Human-readable reference sequence location\' field does not seem to contain a correct URL.'); } // List of external links. if ($aData['url_external']) { $aExternalLinks = explode("\r\n", $aData['url_external']); foreach ($aExternalLinks as $n => $sLink) { if (!lovd_matchURL($sLink) && (!preg_match('/^[^<>]+ <([^< >]+)>$/', $sLink, $aRegs) || !lovd_matchURL($aRegs[1]))) { lovd_errorAdd('url_external', 'External link #' . ($n + 1) . ' (' . htmlspecialchars($sLink) . ') not understood.'); } } } // XSS attack prevention. Deny input of HTML. // Ignore the 'External links' field. unset($aData['url_external'], $aData['disclaimer_text'], $aData['header'], $aData['footer'], $aData['note_index'], $aData['note_listing']); lovd_checkXSS($aData); }
function checkFields($aData, $zData = false) { // Checks fields before submission of data. // Loop through all transcripts to have each transcript's set of columns checked. global $_AUTH; // Reset mandatory fields, because import.php calls checkFields() multiple times // and we don't want this list to grow forever. $this->aCheckMandatory = array(); foreach (array_keys($this->aTranscripts) as $nTranscriptID) { if (!empty($aData['ignore_' . $nTranscriptID])) { continue; } $sPrefix = lovd_getProjectFile() == '/import.php' ? '' : $nTranscriptID . '_'; foreach ($this->aColumns as $sCol => $aCol) { if (!$aCol['public_add'] && $_AUTH['level'] < LEVEL_CURATOR) { continue; } $sCol = $sPrefix . $sCol; if ($aCol['mandatory']) { $this->aCheckMandatory[] = $sCol; } if (isset($aData[$sCol])) { $this->checkInputRegExp($sCol, $aData[$sCol]); $this->checkSelectedInput($sCol, $aData[$sCol]); } } $this->aCheckMandatory[] = $sPrefix . 'effect_reported'; if ($_AUTH['level'] >= LEVEL_CURATOR) { $this->aCheckMandatory[] = $sPrefix . 'effect_concluded'; } elseif (isset($aData[$sPrefix . 'effect_reported']) && $aData[$sPrefix . 'effect_reported'] === '0') { // Submitters must fill in the variant effect field; '0' is not allowed for them. unset($aData[$sPrefix . 'effect_reported']); } } // Bypass LOVD_Custom::checkFields(), since it's functionality has been copied above. LOVD_Object::checkFields($aData); lovd_checkXSS(); }
function lovd_checkXSS($aInput = '') { // XSS attack prevention. Deny input of HTML. if ($aInput === '') { if (count($_POST)) { return lovd_checkXSS($_POST); } else { return true; } } if (!is_array($aInput)) { $aInput = array($aInput); } $bSuccess = true; foreach ($aInput as $key => $val) { if (is_array($val)) { $bSuccess = $bSuccess && lovd_checkXSS($val); } elseif (!empty($val) && preg_match('/<.*>/s', $val)) { // Disallowed tag found. $bSuccess = false; lovd_errorAdd($key, 'Disallowed tag found in form field' . (is_numeric($key) ? '.' : ' "' . htmlspecialchars($key) . '".') . ' XSS attack?'); } } return $bSuccess; }