chore: load sentry when dsn is not empty

app/container.php

@@ -34,7 +34,7 @@ $container['notAllowedHandler'] = static function ($c) {
     };
 };
 
-if ($_ENV['debug'] === false) {
+if ($_ENV['sentry_dsn'] !== '') {
     $container['errorHandler'] = static function ($c) {
         return static function ($request, $response, $exception) {
             $view = View::getSmarty();

src/Controllers/AuthController.php

@@ -188,8 +188,10 @@ final class AuthController extends BaseController
     public function sendVerify(ServerRequest $request, Response $response, $next)
     {
         if (Setting::obtain('reg_email_verify')) {
-            $email = trim($request->getParam('email'));
-            $email = strtolower($email);
+            $antiXss = new AntiXSS();
+
+            $email = strtolower(trim($antiXss->xss_clean($request->getParam('email'))));
+
             if ($email === '') {
                 return ResponseHelper::error($response, '未填写邮箱');
             }
@@ -247,27 +249,19 @@ final class AuthController extends BaseController
      */
     public static function registerHelper($response, $name, $email, $passwd, $code, $imtype, $imvalue, $telegram_id, $money, $is_admin_reg)
     {
-        if (Setting::obtain('reg_mode') === 'close') {
-            return ResponseHelper::error($response, '暂时不对外开放注册');
-        }
-
-        if (Setting::obtain('reg_mode') === 'invite' && $code === '') {
-            return ResponseHelper::error($response, '注册需要填写邀请码');
-        }
-
-        $c = InviteCode::where('code', $code)->first();
-        if ($c === null) {
+        $user_invite = InviteCode::where('code', $code)->first();
+        if ($user_invite === null) {
             if (Setting::obtain('reg_mode') === 'invite') {
-                return ResponseHelper::error($response, '这个邀请码不存在');
+                return ResponseHelper::error($response, '邀请码无效');
             }
-        } elseif ($c->user_id !== 0) {
-            $gift_user = User::where('id', $c->user_id)->first();
+        } elseif ($user_invite->user_id !== 0) {
+            $gift_user = User::where('id', $user_invite->user_id)->first();
             if ($gift_user === null) {
-                return ResponseHelper::error($response, '邀请码已失效');
+                return ResponseHelper::error($response, '邀请码无效');
             }
 
             if ($gift_user->invite_num === 0) {
-                return ResponseHelper::error($response, '邀请码不可用');
+                return ResponseHelper::error($response, '邀请码无效');
             }
         }
 
@@ -278,7 +272,7 @@ final class AuthController extends BaseController
         $current_timestamp = \time();
 
         $user->user_name = $antiXss->xss_clean($name);
-        $user->email = $email;
+        $user->email = $antiXss->xss_clean($email);
         $user->remark = '';
         $user->pass = Hash::passwordHash($passwd);
         $user->passwd = Tools::genRandomChar(16);
@@ -291,7 +285,7 @@ final class AuthController extends BaseController
         $user->method = $configs['sign_up_for_method'];
         $user->forbidden_ip = Setting::obtain('reg_forbidden_ip');
         $user->forbidden_port = Setting::obtain('reg_forbidden_port');
-        $user->im_type = $imtype;
+        $user->im_type = $antiXss->xss_clean($imtype);
         $user->im_value = $antiXss->xss_clean($imvalue);
 
         $user->transfer_enable = Tools::toGB($configs['sign_up_for_free_traffic']);
@@ -308,10 +302,10 @@ final class AuthController extends BaseController
 
         //dumplin：填写邀请人，写入邀请奖励
         $user->ref_by = 0;
-        if ($c !== null && $c->user_id !== 0) {
+        if ($user_invite !== null && $user_invite->user_id !== 0) {
             $invitation = Setting::getClass('invite');
             // 设置新用户
-            $user->ref_by = $c->user_id;
+            $user->ref_by = $user_invite->user_id;
             $user->money = $invitation['invitation_to_register_balance_reward'];
             // 给邀请人反流量
             $gift_user->transfer_enable += $invitation['invitation_to_register_traffic_reward'] * 1024 * 1024 * 1024;
@@ -330,6 +324,7 @@ final class AuthController extends BaseController
         $secret = $ga->createSecret();
         $user->ga_token = $secret;
         $user->ga_enable = 0;
+
         $user->class_expire = date('Y-m-d H:i:s', \time() + $configs['sign_up_for_class_time'] * 86400);
         $user->class = $configs['sign_up_for_class'];
         $user->node_connector = $configs['connection_device_limit'];
@@ -364,6 +359,10 @@ final class AuthController extends BaseController
             return ResponseHelper::error($response, '未开放注册。');
         }
 
+        if (Setting::obtain('reg_mode') === 'invite' && $request->getParam('code') === '') {
+            return ResponseHelper::error($response, '注册需要填写邀请码');
+        }
+
         if (Setting::obtain('enable_reg_captcha') === true) {
             $ret = Captcha::verify($request->getParams());
             if (!$ret) {
@@ -371,17 +370,17 @@ final class AuthController extends BaseController
             }
         }
 
-        $name = $request->getParam('name');
-        $email = $request->getParam('email');
-        $email = trim($email);
-        $email = strtolower($email);
+        $antiXss = new AntiXSS();
+
+        $email = strtolower(trim($antiXss->xss_clean($request->getParam('email'))));
+        $name = $antiXss->xss_clean($request->getParam('name'));
         $passwd = $request->getParam('passwd');
         $repasswd = $request->getParam('repasswd');
-        $code = trim($request->getParam('code'));
+        $code = $antiXss->xss_clean(trim($request->getParam('code')));
 
         if (Setting::obtain('enable_reg_im') === true) {
-            $imtype = $request->getParam('im_type');
-            $imvalue = $request->getParam('im_value');
+            $imtype = $antiXss->xss_clean($request->getParam('im_type'));
+            $imvalue = $antiXss->xss_clean($request->getParam('im_value'));
             if ($imtype === '' || $imvalue === '') {
                 return ResponseHelper::error($response, '请填上你的联络方式');
             }
@@ -406,7 +405,7 @@ final class AuthController extends BaseController
         }
 
         if (Setting::obtain('reg_email_verify')) {
-            $email_code = trim($request->getParam('emailcode'));
+            $email_code = trim($antiXss->xss_clean($request->getParam('emailcode')));
             $mailcount = EmailVerify::where('email', '=', $email)
                 ->where('code', '=', $email_code)
                 ->where('expire_in', '>', \time())
@@ -451,15 +450,18 @@ final class AuthController extends BaseController
         $token = $request->getParam('token');
         $number = $request->getParam('number');
         $user = Auth::getUser();
+
         if ($user->isLogin) {
             return ResponseHelper::error($response, '用户已登陆');
         }
+
         if ($_ENV['enable_telegram_login'] === true) {
             $ret = TelegramSessionManager::checkLoginSession($token, $number);
             return $response->withJson([
                 'ret' => $ret,
             ]);
         }
+
         return ResponseHelper::error($response, '不允许 QRCode 登陆');
     }
 
@@ -499,8 +501,6 @@ final class AuthController extends BaseController
     }
 
     /**
-     * @param Request   $request
-     * @param Response  $response
      * @param array     $args
      */
     private function telegramOauthCheck($auth_data)

src/Controllers/UserController.php

@@ -445,8 +445,10 @@ final class UserController extends BaseController
      */
     public function buyInvite(ServerRequest $request, Response $response, array $args)
     {
+        $antiXss = new AntiXSS();
+
         $price = Setting::obtain('invite_price');
-        $num = $request->getParam('num');
+        $num = $antiXss->xss_clean($request->getParam('num'));
         $num = trim($num);
 
         if (! Tools::isInt($num) || $price < 0 || $num <= 0) {
@@ -476,9 +478,10 @@ final class UserController extends BaseController
      */
     public function customInvite(ServerRequest $request, Response $response, array $args)
     {
+        $antiXss = new AntiXSS();
+
         $price = Setting::obtain('custom_invite_price');
-        $customcode = $request->getParam('customcode');
-        $customcode = trim($customcode);
+        $customcode = trim($antiXss->xss_clean($request->getParam('customcode')));
 
         if (Tools::isSpecialChars($customcode) || $price < 0 || $customcode === '' || strlen($customcode) > 32) {
             return ResponseHelper::error(
@@ -546,8 +549,10 @@ final class UserController extends BaseController
      */
     public function updateEmail(ServerRequest $request, Response $response, array $args)
     {
+        $antiXss = new AntiXSS();
+
         $user = $this->user;
-        $newemail = $request->getParam('newemail');
+        $newemail = $antiXss->xss_clean($request->getParam('newemail'));
         $oldemail = $user->email;
         $otheruser = User::where('email', $newemail)->first();
 
@@ -580,8 +585,7 @@ final class UserController extends BaseController
             return ResponseHelper::error($response, '新邮箱不能和旧邮箱一样');
         }
 
-        $antiXss = new AntiXSS();
-        $user->email = $antiXss->xss_clean($newemail);
+        $user->email = $newemail;
         $user->save();
 
         return ResponseHelper::successfully($response, '修改成功');
@@ -592,10 +596,12 @@ final class UserController extends BaseController
      */
     public function updateUsername(ServerRequest $request, Response $response, array $args)
     {
-        $newusername = $request->getParam('newusername');
-        $user = $this->user;
         $antiXss = new AntiXSS();
-        $user->user_name = $antiXss->xss_clean($newusername);
+
+        $newusername = $antiXss->xss_clean($request->getParam('newusername'));
+        $user = $this->user;
+        
+        $user->user_name = $newusername;
         $user->save();
 
         return ResponseHelper::successfully($response, '修改成功');
@@ -815,10 +821,10 @@ final class UserController extends BaseController
      */
     public function updateMethod(ServerRequest $request, Response $response, array $args)
     {
-        $user = $this->user;
-
         $antiXss = new AntiXSS();
 
+        $user = $this->user;
+
         $method = strtolower($antiXss->xss_clean($request->getParam('method')));
 
         if ($method === '') {
@@ -897,6 +903,7 @@ final class UserController extends BaseController
         $user = $this->user;
 
         $passwd = $request->getParam('passwd');
+
         if (! Hash::checkPassword($user->pass, $passwd)) {
             return ResponseHelper::error($response, '密码错误');
         }