Usernames can have alphanums, underscore and hyphen only

Author: mattpass

lib/login.php

@@ -65,7 +65,7 @@
 		if (true === $ICEcoder["multiUser"]) {
 			// Also set value to "admin" if only 1 user (has to be admin)
 			$showAdminValue = 1 === count($configUsernames) ? ' value="admin"' : '';
-			echo '<input type="text" name="username"' . $showAdminValue . ' class="password"><br><br>';
+			echo '<input type="text" name="username"' . $showAdminValue . ' class="password" id="username" onkeydown="return checkUernameKey(event.key)" onkeyup="checkUsername(this.value, true)" onchange="checkUsername(this.value, true)" onpaste="checkUsername(this.value, true)"><br><br>';
 		};
 		?>
 		<input type="password" name="password" class="password" id="password"<?php
@@ -128,6 +128,21 @@
 	return document.getElementById(elem);
 };
 
+// Check keydown in username field meets simple rules (alphanums, underscore and hyphen only)
+const checkUernameKey = function(key) {
+    return /[\w_\-]/g.test(key);
+}
+
+// Check username value meets simple rules (alphanums, underscore and hyphen only)
+const checkUsername = function(username, amend) {
+    // Amend username if OK to do this
+    if (true === amend) {
+        get("username").value = username.replace(/[^\w_\-]/g, "");
+    }
+    // Return a bool based on meeting the requirements
+    return username.replace(/[^\w_\-]/g, "").length === username.length;
+};
+
 // Check password strength and color requirements not met
 const pwStrength = function(pw) {
 	// Set variables
@@ -165,7 +180,16 @@
 
 // Check if we can submit, else shake requirements
 const checkCanSubmit = function() {
-	// Password isn't strong enough, shake requirements
+    <?php
+		// Check username field if multiUser enabled
+		if (true === $ICEcoder["multiUser"]) {
+    ?>// Username isn't simple, can't submit
+    if(false === checkUsername(get("username").value, false)) {
+        return false;
+    }
+    <?php
+    }
+    ?>// Password isn't strong enough, shake requirements
 	if(false === pwStrength(get("password").value)) {
 		var posArray = [24, -24, 12, -12, 6, -6, 3, -3, 0];
 		var pos = -1;

lib/settings.php

@@ -57,9 +57,13 @@
 // Load common functions
 include_once dirname(__FILE__) . "/settings-common.php";
 
+$postUsername = true === isset($_POST['username']) && is_string($_POST['username'])
+    ? preg_replace("/[^\w_\-]/", "", $_POST['username'])
+    : "";
+
 // Establish user settings file
 $username = "admin-";
-if (true === isset($_POST['username']) && "" !== $_POST['username']) {$username = $_POST['username'] . "-";};
+if ("" !== $postUsername) {$username = $postUsername . "-";};
 if (true === isset($_SESSION['username']) && "" !== $_SESSION['username']) {$username = $_SESSION['username'] . "-";};
 $settingsFile = 'config-' . $username . str_replace(".", "_", str_replace("www.", "", $_SERVER['SERVER_NAME'])) . '.php';
 
@@ -164,7 +168,7 @@
     if (verifyHash($_POST['password'], $ICEcoder["password"]) === $ICEcoder["password"]) {
         session_regenerate_id();
         if ($ICEcoder["multiUser"]) {
-            $_SESSION['username'] = $_POST['username'];
+            $_SESSION['username'] = $postUsername;
         }
         $_SESSION['loggedIn'] = true;
         $extraProcessesClass = new ExtraProcesses();
@@ -235,7 +239,7 @@
         }
         // Set the session user level
         if ($ICEcoder["multiUser"]) {
-            $_SESSION['username'] = $_POST['username'];
+            $_SESSION['username'] = $postUsername;
         }
         $_SESSION['loggedIn'] = true;
         $extraProcessesClass = new ExtraProcesses();