AstrolabeCAE/SiteWebAstrolabe_public
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security enhancements on contact form #1

Merged
philippe.lhardy merged 1 commits from deborah.jean/SiteWebAstrolabe_public:master into master 2025-08-27 10:15:25 +02:00
Conversation 0 Commits 1 Files Changed 1 +26 -13
1 changed files with 26 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 69f9d7609e - Show all commits

39
src/form/contact-form-handler.php
View File

@@ -1,4 +1,11 @@
<?php
// Headers de sécurité
header('Content-Type: application/json; charset=utf-8');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
require("/usr/share/php/libphp-phpmailer/autoload.php");
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;
@@ -29,7 +36,14 @@ $wantedContact = (
$hcaptchaSecret = getenv('HCAPTCHA_SECRET_KEY');
$hcaptchaVerifyUrl = "https://api.hcaptcha.com/siteverify";
if(empty($_POST['namezzz']) || empty($_POST['emailzzz']) || empty($_POST['message'])) {
// Validation et assainissement des entrées
$name = filter_input(INPUT_POST, 'namezzz', FILTER_SANITIZE_STRING);
$emailAddress = filter_input(INPUT_POST, 'emailzzz', FILTER_SANITIZE_EMAIL);
$select = filter_input(INPUT_POST, 'select', FILTER_SANITIZE_STRING);
$message = filter_input(INPUT_POST, 'message', FILTER_SANITIZE_STRING);
$subscribe = filter_input(INPUT_POST, 'subscribe', FILTER_SANITIZE_STRING);
if(empty($name) || empty($emailAddress) || empty($message)) {
$errors[] = "Erreur : champs obligatoires manquants.";
}
@@ -50,6 +64,8 @@ if(!empty($_POST['h-captcha-response'])) {
curl_setopt($checkRequest, CURLOPT_POST, 1);
curl_setopt($checkRequest, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($checkRequest, CURLOPT_RETURNTRANSFER, true);
curl_setopt($checkRequest, CURLOPT_TIMEOUT, 10);
curl_setopt($checkRequest, CURLOPT_SSL_VERIFYPEER, true);
$response = curl_exec($checkRequest);
curl_close($checkRequest);
@@ -62,14 +78,8 @@ if(!empty($_POST['h-captcha-response'])) {
$errors[] = "Erreur lors de la validation du captcha.";
}
$name = $_POST['namezzz'];
$emailAddress = $_POST['emailzzz'];
$select = $_POST['select'];
$message = $_POST['message'];
$subscribe = $_POST['subscribe'];
if (!filter_var($emailAddress, FILTER_VALIDATE_EMAIL)) {
$errors[] = "Erreur d'adresse e-mail invalide : $emailAddress";
$errors[] = "Erreur d'adresse e-mail invalide.";
}
if(empty($errors)) {
@@ -92,10 +102,13 @@ if(empty($errors)) {
default:
$purpose = "Autre demande";
}
$emailSubject .= " : $purpose";
$emailSubject .= " : " . htmlspecialchars($purpose, ENT_QUOTES, 'UTF-8');
$emailBody = "Vous avez reçu un nouveau message depuis le formulaire du site Astrolabe :".
"\r\n\r\nNom: $name \r\nEmail: $emailAddress \r\nRaison: $purpose\r\nSubscribe: $subscribe\r\n\r\n$message";
"\r\n\r\nNom: " . htmlspecialchars($name, ENT_QUOTES, 'UTF-8') .
"\r\nEmail: " . htmlspecialchars($emailAddress, ENT_QUOTES, 'UTF-8') .
"\r\nRaison: " . htmlspecialchars($purpose, ENT_QUOTES, 'UTF-8') .
"\r\nSubscribe: " . (empty($subscribe) ? 'Non' : 'Oui') .
"\r\n\r\n" . htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
$emailBodyHTML = str_replace("\r\n", "<br>", $emailBody);
@@ -114,7 +127,7 @@ if(empty($errors)) {
//Recipients
$mail->setFrom($myEmail);
$mail->addAddress($wantedContact);
$mail->addReplyTo($emailAddress, $name);
$mail->addReplyTo($emailAddress, htmlspecialchars($name, ENT_QUOTES, 'UTF-8'));
// Content
$mail->isHTML(true);
@@ -140,7 +153,7 @@ if(empty($errors)) {
http_response_code(500);
echo json_encode([
'success' => false,
'errors' => ["Erreur lors de l'envoi du message : " . $mail->ErrorInfo]
'errors' => ["Erreur lors de l'envoi du message. Veuillez réessayer plus tard."]
]);
}
} else {