Sanitize everything.

alistapart · Feb 11, 2014 · 5c5473b · 5c5473b
1 parent 611e99d
commit 5c5473b
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 9 deletions.
diff --git a/_tmpl/functions.php b/_tmpl/functions.php
@@ -103,7 +103,7 @@ function displayPatterns($dir) {
                 if(pathinfo($ff,PATHINFO_EXTENSION) == 'html' && $ff != 'foot.html') { // Skip non-HTML files
                     echo "<div class=\"pattern\" id=\"".$fName."\">\n";
                     echo "    <details class=\"pattern-details\">\n";
-                    echo "        <summary class=\"pattern-name\">".$fName."</summary>\n";
+                    echo "        <summary class=\"pattern-name\">".$fName." <a class=\"pattern-link\" rel=\"bookmark\" href=\"".$styleguidePath."?url=".$pathToFile."/".$ff."\" title=\"View just this pattern\">#</a></summary>\n";
                     echo "            <code class=\"pattern-markup language-markup\">".htmlspecialchars(@file_get_contents($dir.'/'.$ff))."</code>\n";
                     echo "        <pre class=\"pattern-usage\"><strong>Usage:</strong> ".htmlspecialchars(@file_get_contents($dir.'/'.str_replace('.html','.txt',$ff)))."</pre>\n";
                     echo "    </details>\n";
@@ -157,4 +157,31 @@ function displayOptions($dir) {
     }
 }
 
+function sanipath( $path ) {
+    global $patternsPath;
+    global $styleguidePath;
+
+    $saniPath = str_replace( "../", "", $path );
+    $saniPath = str_replace( ";", "", $saniPath );
+    $saniPath = htmlspecialchars( $saniPath );
+
+    $saniFile = preg_replace( "/\.[^$]*/", "", $saniPath);
+    $ret = $saniFile . ".html";
+
+    return realpath( $ret ) ? $ret : false;
+}
+
+function include_pattern( $path, $error ) {
+    try {
+        $exists = realpath( sanipath( $path ) );
+
+        if ( !$exists ) {
+            throw new Exception( $error );
+        }
+        include( $exists );
+    } catch (Exception $e) {
+        echo $e -> getMessage();
+    }
+}
+
 ?>
diff --git a/_tmpl/index.php b/_tmpl/index.php
@@ -3,25 +3,31 @@
     $pageURL = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://";
     if (isset($_POST['uri']) && isset($_POST['section'])) {
         $pageURL .= $_POST[uri].$_POST[section];
+        $pageURL = htmlspecialchars( filter_var( $pageURL, FILTER_SANITIZE_URL ) );
+
         header("Location: $pageURL");
     }
 ?>
 <!doctype HTML>
 <html lang="en">
 <head>
-	
-	<meta charset="utf-8">
-	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
-	<meta name="viewport" content="width=device-width, initial-scale=1">
+    
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
 
-	<title>A List Apart Pattern Library</title>
+    <title>A List Apart Pattern Library</title>
 
-	<link rel="stylesheet" href="css/pattern-lib.css" />
+    <link rel="stylesheet" href="css/pattern-lib.css" />
 
 </head>
 
 <body class="xx">
 
+    <?php if(isset($_GET["url"]) && sanipath( $patternsPath . $_GET["url"] ) ): ?>
+        <?php include_pattern( sanipath( $patternsPath . $_GET["url"] ), "Pattern not found." ); ?>
+    <?php else : ?>
+
         <section class="main-content">
 
             <h1 class="xx-title">A Pattern Apart</h1>
@@ -104,7 +110,8 @@
             </main>
 
         </section>
-
+
+    <?php endif; ?>
 </body>
 
 <script src="js/pattern-lib.js"></script>

diff --git a/_tmpl/patchwork.php b/_tmpl/patchwork.php
@@ -3,6 +3,8 @@
     $pageURL = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://";
     if (isset($_POST['uri']) && isset($_POST['section'])) {
         $pageURL .= $_POST[uri].$_POST[section];
+        $pageURL = htmlspecialchars( filter_var( $pageURL, FILTER_SANITIZE_URL ) );
+
         header("Location: $pageURL");
     }
 ?>
@@ -21,7 +23,11 @@
 </head>
 
 <body class="xx xx-patchwork">
-
+
+     <?php if(isset($_GET["url"]) && sanipath( $patternsPath . $_GET["url"] ) ): ?>
+        <?php include_pattern( sanipath( $patternsPath . $_GET["url"] ), "Pattern not found." ); ?>
+    <?php else : ?>
+
     <section class="main-content">
 
         <h1 class="xx-title">A Pattern Apart</h1>
@@ -54,6 +60,7 @@
 
     </section>
 
+    <?php endif; ?>
 </body>
 
 <script src="js/pattern-lib.js"></script>