enable xss & csrf protections #144

application/config/autoload.php

@@ -85,7 +85,7 @@
 |	$autoload['helper'] = array('url', 'file');
  */
 
-$autoload['helper'] = array('url', 'assets', 'language', 'array', 'string');
+$autoload['helper'] = array('url', 'assets', 'language', 'array', 'string', 'form');
 
 /*
 | -------------------------------------------------------------------

application/config/config.php

@@ -431,11 +431,11 @@
 | 'csrf_regenerate' = Regenerate token on every submission
 | 'csrf_exclude_uris' = Array of URIs which ignore CSRF checks
  */
-$config['csrf_protection']   = FALSE;
+$config['csrf_protection']   = TRUE;
 $config['csrf_token_name']   = 'csrf_test_name';
 $config['csrf_cookie_name']  = 'csrf_cookie_name';
 $config['csrf_expire']       = 7200;
-$config['csrf_regenerate']   = TRUE;
+$config['csrf_regenerate']   = FALSE;
 $config['csrf_exclude_uris'] = array();
 
 /*

application/controllers/Ajax.php

@@ -91,7 +91,7 @@ function checkEmail() {
 		if ($this->expectsPost(array('email'))) {
 			$result = array();
 
-			if (!$this->user->checkUserEmail($this->input->post('email'))) {
+			if (!$this->user->checkUserEmail($this->email)) {
 				$result['success'] = true;
 			} else {
 				$result['success'] = false;
@@ -133,13 +133,6 @@ function facebookSignup() {
 		if ($this->expectsPost(array('email', 'last_name',
 			'firstname'))) {
 
-			/**
-			 * Getting all the posts
-			 */
-			$email     = $this->input->post('email');
-			$name      = $this->input->post('last_name');
-			$firstname = $this->input->post('firstname');
-			$country   = $this->input->post('country');
 			/**
 			 * For fb user, we don't have their fb password (obviously).
 			 * Yet, having a password is mandatory in tw and I don't feel
@@ -153,24 +146,24 @@ function facebookSignup() {
 			$password  = "FB_"+$this->input->post('id');
 
 			// If the email doesn't exists yet
-			if (!$this->user->checkUserEmail($email)) {
+			if (!$this->user->checkUserEmail($this->email)) {
 
 				/**
 				 * Signup attempt
 				 * TODO: Can this fail ? If so, under which circonstances ? If not,
 				 * remove the if, if yes, provide a else with a dedicated response
 				 * code.
 				 */
-				if ($this->user->signup($email, $password, $name, $firstname, $country)) {
+				if ($this->user->signup($this->email, $password, $this->firstname, $this->last_name, "")) {
 
 					$result['success'] = "signup";
-					$this->user->login($email, $password);
+					$this->user->login($this->email, $password);
 
 				}
 
 			// The email was already in the db, so we try to log the user
 			// using a potentially existing account
-			} else if ($this->user->login($email, $password)) {
+			} else if ($this->user->login($this->email, $password)) {
 
 				$result['success'] = "signin";
 
@@ -205,24 +198,18 @@ function signup() {
 
 			$result = array();
 
-			$email       = $this->input->post('email');
-			$password    = $this->input->post('password');
-			$name        = $this->input->post('name');
-			$firstname   = $this->input->post('firstname');
-			$country     = $this->input->post('country');
-
 			//If the email isn't already in used
-			if (!$this->user->checkUserEmail($email)) {
+			if (!$this->user->checkUserEmail($this->email)) {
 
 				// Create the account
 				if ($this->user->signup(
-						$email, $password, $name, $firstname,
-						$country)) {
+						$this->email, $this->password, $this->name, $this->firstname,
+						$this->country)) {
 
 					$result['success'] = true;
 
 					//Log the user will create his session and so on
-					$this->user->login($email, $password);
+					$this->user->login($this->email, $this->password);
 
 				}
 
@@ -246,14 +233,12 @@ function askResetPassword() {
 
 		if ($this->expectsPost(array('email'))) {
 
-			$email = $this->input->post('email');
-
 			$result = array();
 
 			//We don't send the token over the network, we just
 			//make sure that a token has been generated.
 			//The token will be transfered in an email.
-			$resetToken = $this->user->askResetPassword($email);
+			$resetToken = $this->user->askResetPassword($this->email);
 
 			if ($resetToken) {
 
@@ -281,12 +266,9 @@ function resetPassword() {
 
 			$result = array();
 
-			$resetToken = $this->input->post('resetToken');
-			$password   = $this->input->post('password');
-
 			//Attempting to reset the password given the token and the
 			//new password
-			if ($this->user->resetPassword($resetToken, $password)) {
+			if ($this->user->resetPassword($this->resetToken, $this->password)) {
 
 				$result['success'] = true;
 			} else {

application/controllers/Measures.php

@@ -125,13 +125,6 @@ public function delete_measure(){
 
 		if($this->expectsPost(array('deleteMeasures'))){
 
-
-					var_dump($this->session->userdata('userId'));
-					var_dump($this->deleteMeasures);
-					var_dump($this->measure->isOwnedBy(
-						$this->deleteMeasures,
-						$this->session->userdata('userId')));
-
 			if (
 				$this->measure->isOwnedBy(
 					$this->deleteMeasures,
@@ -220,7 +213,6 @@ public function edit_watch(){
 
 			$this->constructMeasurePage();
 		}
-		echo "not all posts";
 	}
 
 	/**

application/core/MY_Controller.php

@@ -23,7 +23,7 @@ public function __construct() {
 		$this->_headerData['userIsLoggedIn'] = $this->user->isLoggedIn();
 		$this->_headerData['styleSheets']    = array('main');
 		$this->_headerData['javaScripts']    = array('jquery.min', 'bootstrap.min', 'application', 'MediaElement/mediaelement-and-player.min',
-			'facebook');
+			'facebook', "js.cookie");
 		$this->_headerData['headerClass'] = '';
 
 		if ($this->_needLoggedIn && !$this->user->isLoggedIn()) {
@@ -51,7 +51,7 @@ protected function expectsPost($postNames){
 			}
 
 			//Add the variable in $this
-			$this->{$postName} = $this->input->post($postName);
+			$this->{$postName} = $this->security->xss_clean($this->input->post($postName));
 		}
 
 		return true;

application/views/contact.php

@@ -19,14 +19,14 @@
         <div class="col-md-6 col-md-offset-4">
             <div class="alert alert-success alert-dismissible" role="alert" style="display: none;">
                 <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-                <span>Thank you for submitting your message. We will answer you as soon as we can. 
+                <span>Thank you for submitting your message. We will answer you as soon as we can.
                     In the meantime, you can check us on <a href="https://twitter.com/ToolwatchApp" title="Twitter">Twitter</a> and <a href="https://instagram.com/toolwatchapp/" title="Instagram">Instagram</a> (we got some really cool watch pictures).</span>
             </div>
             <div class="alert alert-danger alert-dismissible" role="alert" style="display: none;">
                 <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
                 <span>An error occured while sending your contact form. Please try again later.</span>
             </div>
-            <form class="form-horizontal" name="contact">
+            <?php echo form_open('', array('name'=>'contact', 'class'=>'form-horizontal'));?>
                 <div class="form-group">
                     <input type="text" class="form-control" name="name" placeholder="Your name *">
                     <span class="contact-error name-error">This field is required.</span>
@@ -49,4 +49,4 @@
             </form>
         </div>
     </div>
-</div>
+</div>

application/views/header.php

@@ -110,6 +110,18 @@
       console.log("logged");
     });
   }
+
+  $(function($) {
+    // this bit needs to be loaded on every page where an ajax POST may happen
+
+        console.log(Cookies.get('csrf_cookie_name'));
+    $.ajaxSetup({
+        data: {
+            csrf_test_name: Cookies.get('csrf_cookie_name')
+        }
+    });
+  });
+
 </script>
 
 </head>

application/views/measure/dashboard/call-to-action.php

@@ -1,8 +1,8 @@
 <?php if(is_null($statusId) || $statusId == '0')
 {
 
-  echo '<td><a class="submitNewMeasure" data-watch="'.$watchId.'">Measure me!</a>
-    <form method="post" action="/measures/new-measure-for-watch/" name="start-new-measure-'.$watchId.'">
+  echo '<td><a class="submitNewMeasure" data-watch="'.$watchId.'">Measure me!</a>' .
+  form_open('/measures/new-measure-for-watch/', array('name'=>'start-new-measure-'.$watchId)).'
       <input type="hidden" name="watchId" value="'.$watchId.'">
     </form></td>';
 

application/views/measure/dashboard/check-accuracy.php

@@ -1,5 +1,5 @@
 <li><a href="#" class="submitGetAccuracy" data-watch="<?php echo $id; ?>">Check the accuracy</a>
-  <form method="post" action="/measures/get-accuracy/" name="get-accuracy-<?php echo $id; ?>">
+  <?php echo form_open('/measures/get-accuracy/', array('name'=>'get-accuracy-'.$id));?>
     <input type="hidden" name="measureId" value="<?php echo $id; ?>">
     <input type="hidden" name="watchId" value="<?php echo $watchId; ?>">
   </form>

application/views/measure/dashboard/delete-measure.php

@@ -1,6 +1,6 @@
 <li>
     <a href="#" class="submitDeleteMeasures" data-watch="<?php echo $id; ?>">Delete this measure</a>
-    <form method="post" action="/measures/delete_measure" name="delete-measures-<?php echo $id; ?>" class="no-display">
+    <?php echo form_open('/measures/delete_measure/', array('name'=>'delete-measures-'.$id, 'class'=>"no-display"));?>
     <input type="hidden" name="deleteMeasures" value="<?php echo $id; ?>">
     </form>
 </li>

application/views/measure/dashboard/delete-watch.php

@@ -1,5 +1,5 @@
 <li>
     <a href="#" class="submitDeleteWatch" data-watch="<?php echo $watchId; ?>">Delete watch</a>
-    <form method="post" action="/measures/delete_watch" name="delete-watch-<?php echo $watchId; ?>" class="no-display">
+    <?php echo form_open('/measures/delete_watch/', array('name'=>'delete-watch-'.$watchId, 'class'=>"no-display"));?>
     <input type="hidden" name="watchId" value="<?php echo $watchId; ?>"></form>
 </li>

application/views/measure/dashboard/edit-watch.php

@@ -1,5 +1,5 @@
 <li>
     <a href="#" class="submitEditWatch" data-watch="<?php echo $watchId; ?>">Edit watch</a>
-    <form method="post" action="/measures/edit_watch_p" name="edit-watch-<?php echo $watchId; ?>" class="no-display">
+    <?php echo form_open('/measures/edit_watch_p/', array('name'=>'edit-watch-'.$watchId, 'class'=>"no-display"));?>
     <input type="hidden" name="watchId" value="<?php echo $watchId; ?>"></form>
 </li>

application/views/measure/dashboard/start-new-measure.php

@@ -1,5 +1,5 @@
 <li><a class="submitNewMeasure" data-watch="<?php echo $watchId; ?>">Start a new measure</a>
-  <form method="post" action="/measures/new-measure-for-watch/" name="start-new-measure-<?php echo $watchId;?>">
+  <?php echo form_open('/measures/new-measure-for-watch/', array('name'=>'start-new-measure-'.$id));?>
     <input type="hidden" name="watchId" value="<?php echo $watchId;?>">
   </form>
 </li>

application/views/measure/edit-watch.php

@@ -4,7 +4,9 @@
     </div>
     <div class="row">
         <div class="col-md-6 col-md-offset-3">
-            <form class="form-horizontal" action="/measures/edit_watch" method="post" name="editWatch">
+
+          <?php echo form_open('/measures/edit_watch', array('name'=>'editWatch', 'class'=>'form-horizontal'));?>
+
                 <div class="form-group">
                     <label for="brand" class="col-sm-3 control-label">Brand<i>*</i></label>
                     <div class="col-sm-9">

application/views/measure/get-accuracy.php

@@ -7,7 +7,8 @@
     <span id="accuracyHolder"></span>
     <div class="row">
         <div class="col-md-6 col-md-offset-3">
-            <form class="form-horizontal" method="post" name="newAccuracy">
+
+          <?php echo form_open('', array('name'=>'newAccuracy', 'class'=>'form-horizontal'));?>
 
               <select style="display:none" class="form-control" name="watchId">
                     <?php echo '<option value="'.$selectedWatch->watchId.'" selected>'.$selectedWatch->brand.' - '.$selectedWatch->name.'</option>'; ?>

application/views/measure/new-measure.php

@@ -6,7 +6,7 @@
     </div>
     <div class="row">
         <div class="col-md-6 col-md-offset-3">
-            <form class="form-horizontal" method="post" name="newMeasure">
+          <?php echo form_open('', array('name'=>'newMeasure', 'class'=>"form-horizontal"));?>
                 <div class="form-group watch-select">
                     <label for="brand" class="col-sm-4 control-label">Select your watch </label>
                     <div class="col-sm-8">

application/views/measure/new-watch.php

@@ -6,7 +6,9 @@
     </div>
     <div class="row">
         <div class="col-md-6 col-md-offset-3">
-            <form class="form-horizontal" action="/measures/add_watch" method="post" name="addWatch">
+
+<?php echo form_open('/measures/add_watch', array('name'=>'addWatch', 'class'=>'form-horizontal'));?>
+
                 <div class="form-group">
                     <label for="brand" class="col-sm-3 control-label">Brand <i>*</i></label>
                     <div class="col-sm-9">

application/views/modal/login.php

@@ -9,7 +9,7 @@
    <span id="fb_error" class="signup-error login-error"></span>
 </div>
 
-<form method="post" name="login">
+<?php echo form_open('', array('name'=>'login'));?>
 
     <div class="form-group">
        <strong class="line-thru"></strong>

application/views/modal/reset-password.php

@@ -1,4 +1,5 @@
-<form method="post" name="askResetPassword">
+  <?php echo form_open('', array('name'=>'askResetPassword'));?>
+
     <div class="form-group">
 		<h1>Reset password</h1>
 	</div>
@@ -18,5 +19,5 @@
     </fieldset>
 	<div class="form-group">
 		  <center>Oops! I remember it now... <br>So, <a data-modal-update="true" data-href="/login/">log me in!</a></center>
-	</div>  
-</form>
+	</div>
+</form>

application/views/modal/sign-up.php

@@ -2,7 +2,7 @@
    <center><button onclick="fb_login();" class="btn btn-primary btn-lg btn-spinner btn-full">Sign up with Facebook<i class="fa fa-spinner fa-pulse"></i></button></center>
    <span id="fb_error" class="signup-error login-error"></span>
 </div>
-<form method="post" name="signup">
+<?php echo form_open('', array('name'=>'signup'));?>
     <div class="form-group">
        <strong class="line-thru">or</strong>
     </div>

application/views/reset-password.php

@@ -5,7 +5,8 @@
     <div class="row">
         <div class="col-md-12">
             <center>
-                <form method="post" class="col-md-6 col-md-offset-3" name="resetPassword">
+
+              <?php echo form_open('', array('name'=>'resetPassword', 'class'=>'col-md-6 col-md-offset-3'));?>
                     <div class="alert alert-danger alert-dismissible" role="alert" style="display: none";>
                         <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
                         <span>We cannot reset the password for this token (<?php echo $resetToken;?>). Please, check the link you received or ask a reset again.</span>
@@ -32,4 +33,4 @@
             </center>
         </div>
     </div>
-</div>
+</div>