validate User and Role fields and sanitize output

app_model.php

@@ -133,4 +133,21 @@ public function updateAll($fields, $conditions = true) {
 	public function invalidate($field, $value = true) {
 		return parent::invalidate($field, __($value, true));
 	}
+
+/**
+ * Validation method for alias field
+ * @return bool true when validation successful
+ */
+	protected function _validAlias($check) {
+		return preg_match('/^[\p{Ll}\p{Lm}\p{Lo}\p{Lt}\p{Lu}\p{Nd}-_]+$/mu', $check[key($check)]);
+	}
+
+/**
+ * Validation method for name or title fields
+ * @return bool true when validation successful
+ */
+	protected function _validName($check) {
+		return preg_match('/^[\p{Ll}\p{Lm}\p{Lo}\p{Lt}\p{Lu}\p{Nd}-_\[\]\(\) ]+$/mu', $check[key($check)]);
+	}
+
 }

models/role.php

@@ -40,17 +40,32 @@ class Role extends AppModel {
  */
 	public $validate = array(
 		'title' => array(
-			'rule' => array('minLength', 1),
-			'message' => 'Title cannot be empty.',
+			'notEmpty' => array(
+				'rule' => 'notEmpty',
+				'message' => 'Alias cannot be empty.',
+				'last' => true,
+			),
+			'validName' => array(
+				'rule' => '_validName',
+				'message' => 'This field must be alphanumeric',
+				'last' => true,
+			),
 		),
 		'alias' => array(
 			'isUnique' => array(
 				'rule' => 'isUnique',
 				'message' => 'This alias has already been taken.',
+				'last' => true,
 			),
-			'minLength' => array(
-				'rule' => array('minLength', 1),
+			'notEmpty' => array(
+				'rule' => 'notEmpty',
 				'message' => 'Alias cannot be empty.',
+				'last' => true,
+			),
+			'validAlias' => array(
+				'rule' => '_validAlias',
+				'message' => 'This field must be alphanumeric',
+				'last' => true,
 			),
 		),
 	);

models/user.php

@@ -57,29 +57,53 @@ class User extends AppModel {
 			'isUnique' => array(
 				'rule' => 'isUnique',
 				'message' => 'The username has already been taken.',
+				'last' => true,
 			),
 			'notEmpty' => array(
 				'rule' => 'notEmpty',
 				'message' => 'This field cannot be left blank.',
+				'last' => true,
+			),
+			'validAlias' => array(
+				'rule' => '_validAlias',
+				'message' => 'This field must be alphanumeric',
+				'last' => true,
 			),
 		),
 		'email' => array(
 			'email' => array(
 				'rule' => 'email',
 				'message' => 'Please provide a valid email address.',
+				'last' => true,
 			),
 			'isUnique' => array(
 				'rule' => 'isUnique',
 				'message' => 'Email address already in use.',
+				'last' => true,
 			),
 		),
 		'password' => array(
 			'rule' => array('minLength', 6),
 			'message' => 'Passwords must be at least 6 characters long.',
 		),
 		'name' => array(
-			'rule' => 'notEmpty',
-			'message' => 'This field cannot be left blank.',
+			'notEmpty' => array(
+				'rule' => 'notEmpty',
+				'message' => 'This field cannot be left blank.',
+				'last' => true,
+			),
+			'validName' => array(
+				'rule' => '_validName',
+				'message' => 'This field must be alphanumeric',
+				'last' => true,
+			),
+		),
+		'website' => array(
+			'url' => array(
+				'rule' => 'url',
+				'message' => 'This field must be a valid URL',
+				'allowEmpty' => true,
+			),
 		),
 	);
 

views/roles/admin_index.ctp

@@ -30,8 +30,8 @@
 
 			$rows[] = array(
 				$role['Role']['id'],
-				$role['Role']['title'],
-				$role['Role']['alias'],
+				h($role['Role']['title']),
+				h($role['Role']['alias']),
 				$actions,
 			);
 		}

views/users/admin_index.ctp

@@ -32,9 +32,9 @@
 
 			$rows[] = array(
 				$user['User']['id'],
-				$user['Role']['title'],
-				$user['User']['username'],
-				$user['User']['name'],
+				h($user['Role']['title']),
+				h($user['User']['username']),
+				h($user['User']['name']),
 				$user['User']['email'],
 				$actions,
 			);