消息系统使用相同的功能来发送和回复消息。一个用户向另一个用户发送消息:“只需测试£69 $ 100 @ ha”。消息包含text,php和html。 PHP被CI xss_clean剥离,html被系统阻止/替换。它被发送没有错误。其他用户收到它,打开它并尝试回复47个字符的纯文本。 CI表单验证类阻止它并显示错误:主题必须小于1000个字符。第一个也是最重要的问题是它不应该触发验证错误。其次CI形式val。主题设置为最大30个字符,并且消息设置为最多1000个字符 - 因此错误消息也不正确。我的预感是该主题中的一个角色正在扰乱CI形式。但是在发送原始邮件时它并没有让它失望!知道这里发生了什么吗?
以下是表单中的相关代码;
<form name="sendmessage" method="POST" action="<? echo base_url(); ?>user/messaging/sendmessage/">
<input type="hidden" name="<?php echo $this->security->get_csrf_token_name(); ?>" value="<?php echo $this->security->get_csrf_hash(); ?>" />
<input type="hidden" name="recipiant" value="<? echo $message['mem_msg_from_id']; ?>" />
<input type="hidden" name="thread" value="<? echo $message['mem_msg_thread_id']; ?>" />
<? if(substr($message['mem_msg_subject'],3) == 'Re:'){$subject = $message['mem_msg_subject'];}else{$subject = 'Re: ' . $message['mem_msg_subject'];} ?>
<input type="hidden" name="subject" value="<? echo ucfirst($subject); ?>">
这是控制器代码;
public function sendmessage(){
if($this->input->is_ajax_request()){ // ajax request only
$subject = $this->input->post('subject',TRUE);
$message = $this->input->post('message',TRUE);
$recipiant = $this->input->post('recipiant',TRUE);
$thread_id = $this->input->post('thread',TRUE);
$subject_val = $this->form_validation->set_rules('subject', 'Subject', 'required|min_length[3]|max_length[30]');
$subject_req_error = $this->form_validation->set_message('required', 'A %s is required!');
$subject_min_error = $this->form_validation->set_message('min_length', '%s must be at least 3 characters!');
$subject_max_error = $this->form_validation->set_message('max_length', '%s must be under 30 characters!');
$message_val = $this->form_validation->set_rules('message', 'Message', 'required|min_length[5]|max_length[1000]');
$message_req_error = $this->form_validation->set_message('required', 'A %s is required!');
$message_min_error = $this->form_validation->set_message('min_length', '%s must be at least 5 characters!');
$message_max_error = $this->form_validation->set_message('max_length', '%s must be under 1000 characters!');
$this->form_validation->set_error_delimiters('<div class="pull-left">',' </div><br>');
if ($this->form_validation->run() == FALSE){ // FAILED TRY AGAIN
echo '<div style="font-weight: bold; color: red;">' . form_error('subject') . form_error('message') . '</div>';
}else{ // ALL SEEMS TO BE IN ORDER HERE
// clean it up a bit
$subject = str_replace('<', '', $subject);
$subject = str_replace('>', '' , $subject);
$subject = auto_link($subject, 'both', TRUE);
$message = str_replace('<', '', $message);
$message = str_replace('>', '' , $message);
$message = auto_link($message, 'both', TRUE);
// stick it in the database
$db = $this->user_messaging_model->sendMessage($this->userinfo['user_id'], $recipiant, $subject, $message, $thread_id);
echo 'sent';
}
}
}
答案 0 :(得分:0)
您正在覆盖为规则分配的消息。
请注意$this->form_validation->set_message按规则运作。不是,按规则每个字段。因此,当您第二次设置$this->form_validation->set_message('max_length'...时,它会覆盖分配给“max_length”要求的初始消息。
一般情况下,您不需要为这些设置消息,codeigniter本身会根据您的要求生成一个不错的错误消息。
在我的工作流程中,我通常使用set_message函数来生成我们在表单字段上执行的自定义回调验证的消息。