UX and Security Fixes

Changed the “Add to Slack“ button to a “Request Slack Invite” button. Also patched contact form to prevent HTML injection in the response after sending a message. Closes #50
Geneonosis · Sep 15, 2017 · 8b3e41a · 8b3e41a
1 parent 2b09e31
commit 8b3e41a
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 19 deletions.
diff --git a/contact.php b/contact.php
@@ -30,7 +30,7 @@
 		<script type="text/javascript">
 			$(document).ready(function(){
 				<?php
-					if(isset($_GET['stat'])){
+					if(isset($_GET['message_stat'])){
 						echo('$("#stat-modal").modal("show");');
 					}
 				?>
@@ -40,24 +40,38 @@
 	<body>
 		<?php
 			require('common/menu.php');
+			$message_stat = '';
+			$message_stat_title = '';
+			if(isset($_GET['message_stat'])){
+				if($_GET['message_stat'] == 1){
+					$message_stat_title = 'Thanks';
+					$message_stat = 'Your message has successfully been sent';
+				}
+				else if($_GET['message_stat'] == 2){
+					$message_stat_title = 'Error';
+					$message_stat = 'Error: message failed to send';
+				}
+				else{
+					$message_stat_title = 'Error';
+					$message_stat = 'Message Status: unknown';
+				}
+			}
 		?>
 		<div class="modal fade" id="stat-modal" role="dialog">
 			<div class="modal-dialog">
 				<div class="modal-content">
 					<div class="modal-header">
 						<div type="button" class="close" data-dismiss="modal">&times;</div>
 						<h4 class="modal-title">
-							Thanks
+							<?php
+								echo(htmlentities($message_stat_title));
+							?>
 						</h4>
 					</div>
 					<div class="modal-body">
 						<p>
 							<?php
-								$stat = '';
-								if(isset($_GET['stat'])){
-									$stat = rawurldecode($_GET['stat']);
-								}
-								echo(htmlentities($stat));
+								echo(htmlentities($message_stat));
 							?>
 						</p>
 					</div>
@@ -83,8 +97,8 @@
 									</p>
 								</div>
 								<div class="col-sm-4" style="text-align:center;">
-									<a href="http://acm-utsa.slack.com">
-										<input type="image" src="images/icons/add-to-slack.png" class="slack-button"/>
+									<a class="link" href="slack_invite" target="_blank">
+										<input type="button" style="outline-style: none;" value="Request Slack Invite" />
 									</a>
 								</div>
 							</div>

diff --git a/index.php b/index.php
@@ -38,15 +38,15 @@
 						</div>
 						<div class="col-sm-4 hidden-xs">
 							<div style="margin:120px 0px 0px 0px;text-align: center;">
-								<a href="http://acm-utsa.slack.com">
-									<input type="image" src="images/icons/add-to-slack.png" class="slack-button"/>
+								<a class="link" href="slack_invite" target="_blank">
+									<input type="button" style="outline-style: none;" value="Request Slack Invite" />
 								</a>
 							</div>
 						</div>
 						<div class="col-sm-4 hidden-sm hidden-md hidden-lg hidden-xl">
 							<div style="margin:40px 0px 0px 0px;text-align: center;">
 								<a href="http://acm-utsa.slack.com">
-									<input type="image" src="images/icons/add-to-slack.png" class="slack-button"/>
+									<input type="button" style="outline-style: none;" value="Request Slack Invite" />
 								</a>
 							</div>
 						</div>

diff --git a/send_message.php b/send_message.php
@@ -1,5 +1,5 @@
 <?php
-$from = $_POST['email'] . $_POST['m-email'];
+$from = '[email protected]';
 
 $text = $_POST['text'];
 $to = '[email protected]';
@@ -53,15 +53,15 @@
 $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
 $headers .= "From: " . $from . "\r\n"."X-Mailer: php";
 
-$stat = '';
+$message_stat = '';
 if(mail($to, 'Message on acm-utsa.org', $body, $headers)){
-	$stat = 'Your message has successfully been sent';
+	$message_stat = '1';
 }
 else{
-	$stat = 'Error: message failed to send';
+	$message_stat = '2';
 }
 
-header('Location: contact?stat='.rawurlencode($stat));
+header('Location: contact?message_stat='.rawurlencode($message_stat));
 ?>
 <!DOCTYPE html>
 <html>
@@ -105,8 +105,8 @@
 									</p>
 								</div>
 								<div class="col-sm-4" style="text-align:center;">
-									<a href="http://acm-utsa.slack.com">
-										<input type="image" src="images/icons/add-to-slack.png" class="slack-button"/>
+									<a class="link" href="slack_invite" target="_blank">
+										<input type="image" src="images/icons/add-to-slack.png" class="slack-button" style="outline-style: none;" />
 									</a>
 								</div>
 							</div>

diff --git a/slack_invite.php b/slack_invite.php
@@ -0,0 +1 @@
+<html> <head> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"> <title>Slack Invite</title> <style type="text/css"> html{ margin: 0; height: 100%; overflow: hidden; } iframe{ position: absolute; left:0; right:0; bottom:0; top:0; border:0; } </style> </head> <body> <iframe id="typeform-full" width="100%" height="100%" frameborder="0" src="https://acm-utsa.typeform.com/to/w2QdZg"></iframe> <script type="text/javascript" src="https://embed.typeform.com/embed.js"></script> </body> </html>
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		<html> <head> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"> <title>Slack Invite</title> <style type="text/css"> html{ margin: 0; height: 100%; overflow: hidden; } iframe{ position: absolute; left:0; right:0; bottom:0; top:0; border:0; } </style> </head> <body> <iframe id="typeform-full" width="100%" height="100%" frameborder="0" src="https://acm-utsa.typeform.com/to/w2QdZg"></iframe> <script type="text/javascript" src="https://embed.typeform.com/embed.js"></script> </body> </html>