upd: serialize user input in report.php

author: ilotterytea <iltsu@alright.party> 2025-06-08 02:40:44 +0400
committer: ilotterytea <iltsu@alright.party> 2025-06-08 02:40:44 +0400
commit: 3985f082a08cbfa917f9f6376d04d1910100fb90 (patch)
tree: 0e7cdf13e0f39da83cf9f7d3829e4d84cf1c3eae /public
parent: 84ad6e3c5b2f74b82d17b289db62cdf88f18a95b (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/public/report.php b/public/report.php
index ca4f882..72f49a3 100644
--- a/public/report.php
+++ b/public/report.php
@@ -27,6 +27,15 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
 
     $file_id = $_POST['id'];
     $file_id = explode('.', $file_id);
+    if (count($file_id) != 2) {
+        generate_alert(
+            '/report.php',
+            'Not enough data.',
+            400,
+            null
+        );
+        exit();
+    }
     $file_ext = $file_id[1];
     $file_id = $file_id[0];
 
@@ -40,7 +49,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
         exit();
     }
 
-    $reason = trim($_POST['reason'] ?? '');
+    $reason = str_safe($_POST['reason'] ?? '', null);
 
     if (empty($reason)) {
         generate_alert(
@@ -52,7 +61,7 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
         exit();
     }
 
-    $email = $_POST['email'] ?? '(Anonymous)';
+    $email = str_safe($_POST['email'] ?? '(Anonymous)', null);
     if (empty($email)) {
         $email = '(Anonymous)';
     }
author	ilotterytea <iltsu@alright.party>	2025-06-08 02:40:44 +0400
committer	ilotterytea <iltsu@alright.party>	2025-06-08 02:40:44 +0400
commit	3985f082a08cbfa917f9f6376d04d1910100fb90 (patch)
tree	0e7cdf13e0f39da83cf9f7d3829e4d84cf1c3eae /public
parent	84ad6e3c5b2f74b82d17b289db62cdf88f18a95b (diff)