Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat/force validation #603

Open
wants to merge 24 commits into
base: improve/variantCreationForm
Choose a base branch
from

Conversation

loeswerkman
Copy link
Collaborator

In this branch, the $_SESSION['VV']['validated_variants'] array is added and used to store all validated variants from the submission dialogue. This array is then used in checkFields() at POST to ensure that all variants in the submission form were indeed validated.

Related to #588

If values are empty after a successful call to VariantValidator, the
 onChange of these fields was originally removed to stop changes to
 these fields resulting in a complete reset. However, the complete
 reset has been removed with this branch, so the onChanges can be kept.
The original message was outdated since the onChange of the empty
 fields are no longer deactivated.
We now add checks to find out if all expected $_REQUEST variables were
 really set. If not, we will exit the script or set the values as empty.
Copy link
Member

@ifokkema ifokkema left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some changes are needed, I also found one XSS vulnerability that needs to be fixed.

src/ajax/check_hgvs_dialogue.php Outdated Show resolved Hide resolved
src/ajax/check_hgvs_dialogue.php Outdated Show resolved Hide resolved
src/class/object_genome_variants.php Outdated Show resolved Hide resolved
// This field's variant was not fully validated! It should
// not be sent to the database. Let's add an error.
lovd_errorAdd($sField,
'The variant ' . $sVariant . ' did not pass our checks. Please take another look and try again.'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable $sVariant isn't cleaned here, so shouldn't be sent out to the browser without cleaning (XSS vulnerability).

From now on, we always remove the reference sequence from the variant
 that is saved in the $_SESSION['VV']['validated_variants'] array.
Note that we then also need to ensure that reference sequences are
 not kept within the DNA fields!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants