From b92f7c10547733328dffd36c4a7577343670ce11 Mon Sep 17 00:00:00 2001
From: Felix Ivo <fx.ivo@web.de>
Date: Mon, 30 Jun 2025 10:35:03 +0200
Subject: [PATCH] sanitized login form

---
 Controller/UserController.php | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/Controller/UserController.php b/Controller/UserController.php
index 04e8ec3..37e6843 100644
--- a/Controller/UserController.php
+++ b/Controller/UserController.php
@@ -20,7 +20,7 @@ class UserController
     public function loginUser() 
     {
         $erg = array();
-        $erg = $this->userModel->loginUser($_POST["username"], $_POST["password"]);
+        $erg = $this->userModel->loginUser($this->sanitize($_POST["username"]), $this->sanitize($_POST["password"]) );
         if ($erg["success"] == true) {
             header("Location: ?controller=Welcome&do=showWelcome");
             exit();
@@ -46,7 +46,7 @@ class UserController
     public function registerUser() 
     {
         $erg = array();
-        $erg = $this->userModel->registerUser($_POST["username"], $_POST["password"]);
+        $erg = $this->userModel->registerUser($this->sanitize($_POST["username"]), $this->sanitize($_POST["password"]) );
         if ($erg["success"] == true) {
             header("Location: ?controller=User&do=showUserLoginForm");
             exit();
@@ -54,10 +54,10 @@ class UserController
         else {
             $this->view->setDoMethodName("showUserRegisterForm");
             
-             $message = $erg['message'];
+            $message = $this->sanitize($erg['message']);
             echo "<script type='text/javascript'>alert(\"$message\");</script>";
             $this->view->setVars([
-            "errmsg" => $erg["message"]
+            "errmsg" => $message
             ]);
             $this->showUserRegisterForm();
         }
@@ -73,6 +73,7 @@ class UserController
 
     }
 
-
-
+    function sanitize($data, $flags = ENT_QUOTES, $encoding = 'UTF-8') {
+        return htmlspecialchars((string)$data, $flags, $encoding);
+    }
 }
\ No newline at end of file