From 69f9d7609e932b479062b639e6df1d38c8af6df1 Mon Sep 17 00:00:00 2001
From: galenskap <jean.deborah@gmail.com>
Date: Wed, 27 Aug 2025 09:39:23 +0200
Subject: [PATCH] Security enhancements on contact form

---
 src/form/contact-form-handler.php | 39 ++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/src/form/contact-form-handler.php b/src/form/contact-form-handler.php
index 5679059..c2fc0e8 100644
--- a/src/form/contact-form-handler.php
+++ b/src/form/contact-form-handler.php
@@ -1,4 +1,11 @@
 <?php
+// Headers de sécurité
+header('Content-Type: application/json; charset=utf-8');
+header('X-Content-Type-Options: nosniff');
+header('X-Frame-Options: DENY');
+header('X-XSS-Protection: 1; mode=block');
+header('Referrer-Policy: strict-origin-when-cross-origin');
+
 require("/usr/share/php/libphp-phpmailer/autoload.php");
 use PHPMailer\PHPMailer\PHPMailer;
 use PHPMailer\PHPMailer\Exception;
@@ -29,7 +36,14 @@ $wantedContact = (
 $hcaptchaSecret = getenv('HCAPTCHA_SECRET_KEY');
 $hcaptchaVerifyUrl = "https://api.hcaptcha.com/siteverify";
 
-if(empty($_POST['namezzz']) || empty($_POST['emailzzz']) || empty($_POST['message'])) {
+// Validation et assainissement des entrées
+$name = filter_input(INPUT_POST, 'namezzz', FILTER_SANITIZE_STRING);
+$emailAddress = filter_input(INPUT_POST, 'emailzzz', FILTER_SANITIZE_EMAIL);
+$select = filter_input(INPUT_POST, 'select', FILTER_SANITIZE_STRING);
+$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING);
+$subscribe = filter_input(INPUT_POST, 'subscribe', FILTER_SANITIZE_STRING);
+
+if(empty($name) || empty($emailAddress) || empty($message)) {
     $errors[] = "Erreur : champs obligatoires manquants.";
 }
 
@@ -50,6 +64,8 @@ if(!empty($_POST['h-captcha-response'])) {
     curl_setopt($checkRequest, CURLOPT_POST, 1);
     curl_setopt($checkRequest, CURLOPT_POSTFIELDS, http_build_query($data));
     curl_setopt($checkRequest, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($checkRequest, CURLOPT_TIMEOUT, 10);
+    curl_setopt($checkRequest, CURLOPT_SSL_VERIFYPEER, true);
     $response = curl_exec($checkRequest);
     curl_close($checkRequest);
 
@@ -62,14 +78,8 @@ if(!empty($_POST['h-captcha-response'])) {
     $errors[] = "Erreur lors de la validation du captcha.";
 }
 
-$name = $_POST['namezzz'];
-$emailAddress = $_POST['emailzzz'];
-$select = $_POST['select'];
-$message = $_POST['message'];
-$subscribe = $_POST['subscribe'];
-
 if (!filter_var($emailAddress, FILTER_VALIDATE_EMAIL)) {
-    $errors[] = "Erreur d'adresse e-mail invalide : $emailAddress";
+    $errors[] = "Erreur d'adresse e-mail invalide.";
 }
 
 if(empty($errors)) {
@@ -92,10 +102,13 @@ if(empty($errors)) {
             default:
                 $purpose = "Autre demande";
         }
-        $emailSubject .= " : $purpose";
-
+        $emailSubject .= " : " . htmlspecialchars($purpose, ENT_QUOTES, 'UTF-8');
         $emailBody = "Vous avez reçu un nouveau message depuis le formulaire du site Astrolabe :".
-        "\r\n\r\nNom: $name \r\nEmail: $emailAddress \r\nRaison: $purpose\r\nSubscribe: $subscribe\r\n\r\n$message";
+        "\r\n\r\nNom: " . htmlspecialchars($name, ENT_QUOTES, 'UTF-8') . 
+        "\r\nEmail: " . htmlspecialchars($emailAddress, ENT_QUOTES, 'UTF-8') . 
+        "\r\nRaison: " . htmlspecialchars($purpose, ENT_QUOTES, 'UTF-8') .
+        "\r\nSubscribe: " . (empty($subscribe) ? 'Non' : 'Oui') .
+        "\r\n\r\n" . htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
         
         $emailBodyHTML = str_replace("\r\n", "<br>", $emailBody);
         
@@ -114,7 +127,7 @@ if(empty($errors)) {
         //Recipients
         $mail->setFrom($myEmail);
         $mail->addAddress($wantedContact);
-        $mail->addReplyTo($emailAddress, $name);
+        $mail->addReplyTo($emailAddress, htmlspecialchars($name, ENT_QUOTES, 'UTF-8'));
                 
         // Content
         $mail->isHTML(true);
@@ -140,7 +153,7 @@ if(empty($errors)) {
         http_response_code(500);
         echo json_encode([
             'success' => false,
-            'errors' => ["Erreur lors de l'envoi du message : " . $mail->ErrorInfo]
+            'errors' => ["Erreur lors de l'envoi du message. Veuillez réessayer plus tard."]
         ]);
     }
 } else {
-- 
2.30.2