wenil/amneziavpnphp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: sanitize client name input to allow only letters, numbers, underscores, and dashes

Browse Source
This commit is contained in:
infosave2007
2025-11-08 13:56:11 +03:00
parent 2bd7b58843
commit 05c4eaa805
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
inc/VpnClient.php
+4
View File
@@ -40,6 +40,10 @@ class VpnClient {
public static function create(int $serverId, int $userId, string $name, ?int $expiresInDays = null): int { public static function create(int $serverId, int $userId, string $name, ?int $expiresInDays = null): int {
$pdo = DB::conn(); $pdo = DB::conn();
// Sanitize client name (replace spaces and special characters)
$name = trim($name);
$name = preg_replace('/[^a-zA-Z0-9_-]/', '_', $name);
// Get server data // Get server data
$server = new VpnServer($serverId); $server = new VpnServer($serverId);
$serverData = $server->getData(); $serverData = $server->getData();
templates/servers/view.twig
+18 -1
View File
@@ -23,7 +23,10 @@
<div class="bg-white rounded shadow p-6"> <div class="bg-white rounded shadow p-6">
<h3 class="font-bold mb-4">{{ t('clients.create') }}</h3> <h3 class="font-bold mb-4">{{ t('clients.create') }}</h3>
<form method="POST" action="/servers/{{ server.id }}/clients/create" class="space-y-3" id="createClientForm"> <form method="POST" action="/servers/{{ server.id }}/clients/create" class="space-y-3" id="createClientForm">
<input name="name" placeholder="{{ t('clients.name') }}" required class="w-full px-3 py-2 border rounded" id="clientName"> <div>
<input name="name" placeholder="{{ t('clients.name') }}" required class="w-full px-3 py-2 border rounded" id="clientName" pattern="[a-zA-Z0-9_-]+" title="Only letters, numbers, underscore and dash allowed">
<p class="text-xs text-gray-500 mt-1">Spaces and special characters will be replaced with underscore</p>
</div>
<div> <div>
<label class="block text-sm text-gray-600 mb-1">{{ t('clients.expiration') }}</label> <label class="block text-sm text-gray-600 mb-1">{{ t('clients.expiration') }}</label>
<select name="expires_in_days" class="w-full px-3 py-2 border rounded mb-2" id="expirationSelect" onchange="toggleExpirationInput()"> <select name="expires_in_days" class="w-full px-3 py-2 border rounded mb-2" id="expirationSelect" onchange="toggleExpirationInput()">
@@ -224,6 +227,20 @@ function toggleTrafficInput() {
document.addEventListener('DOMContentLoaded', function() { document.addEventListener('DOMContentLoaded', function() {
const form = document.getElementById('createClientForm'); const form = document.getElementById('createClientForm');
const clientNameInput = document.getElementById('clientName');
// Auto-sanitize client name on input
if (clientNameInput) {
clientNameInput.addEventListener('input', function(e) {
// Replace spaces and special characters with underscore
let value = e.target.value;
let sanitized = value.replace(/[^a-zA-Z0-9_-]/g, '_');
if (value !== sanitized) {
e.target.value = sanitized;
}
});
}
if (form) { if (form) {
form.addEventListener('submit', function(e) { form.addEventListener('submit', function(e) {
const btn = document.getElementById('createClientBtn'); const btn = document.getElementById('createClientBtn');