diff --git a/FIT5032-Assignment/Controllers/AppointmentsController.cs b/FIT5032-Assignment/Controllers/AppointmentsController.cs index 2dc401d..75d60b0 100644 --- a/FIT5032-Assignment/Controllers/AppointmentsController.cs +++ b/FIT5032-Assignment/Controllers/AppointmentsController.cs @@ -695,6 +695,15 @@ namespace FIT5032_Assignment.Controllers { return Redirect("/Appointments/Index"); } + // Prevent XSS attack + // Replace with < and > + var comment = collection["comment"]; + comment = comment.Replace("<", "<"); + comment = comment.Replace(">", ">"); + + // Prevent SQL injection + comment = comment.Replace("'", "''"); + // Create review var uuid = Guid.NewGuid().ToString(); Reviews newReview = new Reviews { @@ -702,7 +711,7 @@ namespace FIT5032_Assignment.Controllers { patient = userProfile.uuid, doctor = appointment.responsibleBy, score = Convert.ToInt32(collection["score"]), - comment = collection["comment"], + comment = comment, reviewAt = DateTime.Now, }; db.Reviews.Add(newReview); diff --git a/FIT5032-Assignment/Views/Appointments/Review.cshtml b/FIT5032-Assignment/Views/Appointments/Review.cshtml index e49a7bb..6fe06fb 100644 --- a/FIT5032-Assignment/Views/Appointments/Review.cshtml +++ b/FIT5032-Assignment/Views/Appointments/Review.cshtml @@ -12,7 +12,7 @@

Rate the experience

-@if (ViewBag.role == 1) { +@if (ViewBag.role == 1 && ViewBag.reviewAvailable == false) {

You are about to review the Doctor @ViewBag.doctorUser.displayName

@@ -38,6 +38,22 @@
+} else { + if (ViewBag.reviewAvailable == false) { +

Review not available yet.

+ } else { +
+
@ViewBag.patient.displayName already reviewed this appointment.
+
+ @if (ViewBag.review.score == 1) { + thumb_up Recommended + } else { + thumb_down Not Recommended + } + @ViewBag.review.comment +
+
+ } } @section Scripts { @@ -50,6 +66,13 @@ textarea { width: 100%; } + + .review { + display: flex; + flex-direction: column; + /* Spacing between elements inside .review */ + gap: 10px; + }