Questions on web-link field in Media tab

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
ppfoong
Veteran Member
Posts: 46
Joined: 2021-07-13 16:46

Questions on web-link field in Media tab

Post by ppfoong » 2024-09-16 11:05

When we set a field as a web-link...

1. Is there a ready function in AppGini to ensure the field content is a valid URL (i.e. begins with http:// or https:// followed by a domain name)?
Reference: https://www.w3schools.com/php/filter_validate_url.asp

2. Is there a ready function to prevent it from accessing back to local content, as a security measure? (i.e. the URL cannot be localhost, or 127.0.0.1, or my website domain name, or my website public address, ...)

3. Is there a ready function to ensure the URL is a working one? Such as the checking function provided in this article https://www.geeksforgeeks.org/how-to-ch ... rl-in-php/

4. Is there a ready function to prevent it from being malicious?
Reference: https://www.w3schools.com/php/filter_sanitize_url.asp
also to filter out substrings such as "/bin/sh", ".exe", ".sh", ...

Thanks.

ppfoong
Veteran Member
Posts: 46
Joined: 2021-07-13 16:46

Re: Questions on web-link field in Media tab

Post by ppfoong » 2024-09-16 15:01

It seems that there is no such function in AppGini now, and I have created the following to do the URL checking:

Code: Select all

	function str_contains_any(string $haystack, array $needles): bool {
		return array_reduce($needles, fn($a, $n) => $a || str_contains($haystack, $n), false);
	}

	function checkURL($url) {
		$url = filter_var($url, FILTER_SANITIZE_URL);
		$validURL = FALSE;
		if (filter_var($url, FILTER_VALIDATE_URL)) {
			if (!str_contains_any($url, ['localhost','127.0.0.1','0:0:0:0:0:0:0:1','::1', $_SERVER['HTTP_HOST'], $_SERVER['SERVER_NAME'], $_SERVER['SERVER_ADDR']])) {
				$validURL = TRUE;
			}
		}
		if($validURL === FALSE) {
			echo StyleSheet() . "\n\n<div class=\"alert alert-danger\">{$Translation['error:']} 'URL': {$Translation['invalid url']}<br><br>";
			echo '<a href="" onclick="history.go(-1); return false;">' . $Translation['< back'] . '</a></div>';
			exit;
		}
		$headers = @get_headers($url);
		if($headers && strpos( $headers[0], '200')) { 
			// URL exist
			return $url;
		} else {
			echo StyleSheet() . "\n\n<div class=\"alert alert-danger\">{$Translation['error:']} 'URL': URL not exist.<br><br>";
			echo '<a href="" onclick="history.go(-1); return false;">' . $Translation['< back'] . '</a></div>';
			exit;
		}
	}

The above function is used in before insert section:

Code: Select all

	function homepage_before_insert(&$data, $memberInfo, &$args) {
		$data['url'] = checkURL($data['url']);
		return TRUE;
	}
I want to have the same effect of AppGini in handling "field not null" error, which is to display the error message, highlight the field, and focus on the field for correction.

However, when I put "exit" in the above code, it will just display the error message and terminate there.

If I replace the 2 "exit" in the code above with "return", the result is also not what I wanted.

Do I need to add some codes in the AppGini.Validation part in common.js ?

If I change the code in common.js, will my code be overwritten during the next AppGini code generation?

ppfoong
Veteran Member
Posts: 46
Joined: 2021-07-13 16:46

Re: Questions on web-link field in Media tab

Post by ppfoong » 2024-09-17 16:00

My current temporary workaround without touching the common.js

This is not ideal because it will abandon the saving when the URL field is unacceptable. User will need to redo the entire process instead of correcting the URL field and resubmit.

Hopefully can get a better solution here.

Code: Select all


	function str_contains_any(string $haystack, array $needles): bool {
		return array_reduce($needles, fn($a, $n) => $a || str_contains($haystack, $n), false);
	}

	function checkURL(&$url, &$args) {
		$url = filter_var($url, FILTER_SANITIZE_URL);
		$validURL = FALSE;
		if (filter_var($url, FILTER_VALIDATE_URL)) {
			if (!str_contains_any($url, ['localhost','127.0.0.1','0:0:0:0:0:0:0:1','::1', $_SERVER['HTTP_HOST'], $_SERVER['SERVER_NAME'], $_SERVER['SERVER_ADDR']])) {
				$validURL = TRUE;
			}
		}
		if(!$validURL) {
			$args['error_message'] = "Error: 'URL': Invalid URL [".$url."].";
			return FALSE;
		}
		$headers = @get_headers($url);
		if($headers && strpos( $headers[0], '200')) { 
			// URL exist
			return TRUE;
		} else {
			$args['error_message'] = "Error: 'URL': URL [".$url."] not exist or not accessible.";
			return FALSE;
		}
	}

Code: Select all

	function homepage_before_insert(&$data, $memberInfo, &$args) {
		return checkURL($data['url'], $args);
	}

Code: Select all

	function homepage_before_update(&$data, $memberInfo, &$args) {
		return checkURL($data['url'], $args);
	}

Post Reply