Merge pull request #249 from statikbe/issue-145

#145 implement twig tests to validate if a query or id is valid

modules/statik/src/Statik.php

@@ -22,6 +22,7 @@
 use modules\statik\web\twig\HyperExtension;
 use modules\statik\web\twig\HyphenateExtension;
 use modules\statik\web\twig\PaginateExtension;
+use modules\statik\web\twig\ValidateInputExtension;
 use modules\statik\web\twig\StatikExtension;
 use modules\statik\web\twig\IconExtension;
 use verbb\formie\events\RegisterFieldsEvent;
@@ -105,6 +106,7 @@ public function init(): void
         // Register our Twig extensions
         Craft::$app->view->registerTwigExtension(new IconExtension());
         Craft::$app->view->registerTwigExtension(new HyperExtension());
+        Craft::$app->view->registerTwigExtension(new ValidateInputExtension());
         Craft::$app->view->registerTwigExtension(new HyphenateExtension());
         Craft::$app->view->registerTwigExtension(new StatikExtension());
         Craft::$app->view->registerTwigExtension(new PaginateExtension());

modules/statik/src/web/twig/ValidateInputExtension.php

@@ -0,0 +1,62 @@
+<?php
+
+namespace modules\statik\web\twig;
+
+use Twig\Extension\AbstractExtension;
+use Twig\TwigTest;
+
+use function is_numeric;
+
+class ValidateInputExtension extends AbstractExtension
+{
+    private const COMMON_QUERY_CHARACTERS_REGEX = "/^[a-zA-Z0-9.!?'\"]+$/";
+
+    public function getTests(): array
+    {
+        return [
+            new TwigTest('valid_id', [$this, 'validateIdInput']),
+            new TwigTest('valid_query', [$this, 'validateQueryInput']),
+        ];
+    }
+
+    // Validates a string representing an id or an array of strings representing ids
+    public function validateIdInput(null|array|string $input): bool
+    {
+        if ($input === null) {
+            return false;
+        }
+
+        if(!is_array($input)) {
+            return is_numeric($input);
+        }
+
+        foreach($input as $value) {
+            if (!$this->validateIdInput($value)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    // Validates that query string or array of query strings only contains valid characters
+    public function validateQueryInput(null|array|string $input): bool
+    {
+        if ($input === null) {
+            return false;
+        }
+
+        if (!is_array($input)) {
+            return preg_match(self::COMMON_QUERY_CHARACTERS_REGEX, $input);
+        }
+
+        foreach($input as $value) {
+            if (!$this->validateQueryInput($value)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+}

templates/_site/_searchResults.twig

@@ -5,6 +5,7 @@
 {% block content %}
 
     {% set q = craft.app.request.getParam('q') %}
+    {% set q = q is valid_query ? q : '' %}
 
     {% embed "_site/_snippet/_content/_defaultHeader" %}
         {% block headerText %}
@@ -21,7 +22,7 @@
         <div class="container">
             <div class="w-full md:w-2/3">
                 <div class="p-6 bg-light">
-                    {% include '_site/_snippet/_global/_search' with {showInline: true, filledInValue: q ?? false} %}
+                    {% include '_site/_snippet/_global/_search' with {showInline: true, filledInValue: q|length ? q : false} %}
                 </div>
             </div>
         </div>

templates/jsPlugins/filter.twig

@@ -19,7 +19,7 @@
             <label for="{{ category.id }}">{{ category.title }}</label>
             {% if category.children|length %}
                 <button type="button" class="ml-auto cursor-pointer ie-hidden js-indeterminate-toggle">
-                    {{ icon('chevron-down') }} 
+                    {{ icon('chevron-down') }}
                     <span class="sr-only">{{ 'Options'|t }}
                         {{ category.title }}</span>
                 </button>
@@ -41,7 +41,9 @@
     {% set relationParam = ['and'] %}
 
     {% set searchQuery = craft.app.request.getParam('search') %}
+    {% set searchQuery = searchQuery is valid_query ? searchQuery : '' %}
     {% set catQuery = craft.app.request.getParam('category') %}
+    {% set catQuery = catQuery is valid_id ? catQuery : [ ] %}
 
     {% if catQuery %}
         {% set relationParam = relationParam|merge([{ targetElement: catQuery }]) %}
@@ -81,7 +83,7 @@
                             <a href="#" class="js-filter-mobile-toggle">
                                 {# This element will get the class 'open' when the filter is open #}
                                 {{ 'Filter results'|t }}
-                                {{ icon('chevron-down') }} 
+                                {{ icon('chevron-down') }}
                             </a>
                         </div>
                         <div class="js-filter-mobile-collapse">
@@ -179,7 +181,7 @@
                                         {% for category in categories.id(catQuery).all() %}
                                             <span class="flex items-center px-2 mb-2 mr-2 text-sm font-light text-white capitalize rounded-full bg-primary">{{ category.title }}
                                                 <button type="button" class="flex items-center justify-center w-4 h-4 ml-2 text-black ie-hidden js-clear-filter-element" data-filter-elements='[{"name": "category[]","value": "{{ category.id }}"}]'>
-                                                    {{ icon('clear') }} 
+                                                    {{ icon('clear') }}
                                                     <span class="sr-only">{{ "Verwijder filter "|t }} {{ category.title }}</span>
                                                 </button>
                                             </span>