From 3e0414ad1a7bc7368281f3bdf9e073f1fac0bf7a Mon Sep 17 00:00:00 2001
From: Astrian Zheng <happy.wheel6743@astrian.moe>
Date: Thu, 19 Oct 2023 16:16:12 +1100
Subject: [PATCH] View the review

---
 .../Controllers/AppointmentsController.cs     | 11 +++++++-
 .../Views/Appointments/Review.cshtml          | 25 ++++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/FIT5032-Assignment/Controllers/AppointmentsController.cs b/FIT5032-Assignment/Controllers/AppointmentsController.cs
index 2dc401d..75d60b0 100644
--- a/FIT5032-Assignment/Controllers/AppointmentsController.cs
+++ b/FIT5032-Assignment/Controllers/AppointmentsController.cs
@@ -695,6 +695,15 @@ namespace FIT5032_Assignment.Controllers {
         return Redirect("/Appointments/Index");
       }
 
+      // Prevent XSS attack
+      // Replace with &lt; and &gt;
+      var comment = collection["comment"];
+      comment = comment.Replace("<", "&lt;");
+      comment = comment.Replace(">", "&gt;");
+
+      // Prevent SQL injection
+      comment = comment.Replace("'", "''");
+
       // Create review
       var uuid = Guid.NewGuid().ToString();
       Reviews newReview = new Reviews {
@@ -702,7 +711,7 @@ namespace FIT5032_Assignment.Controllers {
         patient = userProfile.uuid,
         doctor = appointment.responsibleBy,
         score = Convert.ToInt32(collection["score"]),
-        comment = collection["comment"],
+        comment = comment,
         reviewAt = DateTime.Now,
       };
       db.Reviews.Add(newReview);
diff --git a/FIT5032-Assignment/Views/Appointments/Review.cshtml b/FIT5032-Assignment/Views/Appointments/Review.cshtml
index e49a7bb..6fe06fb 100644
--- a/FIT5032-Assignment/Views/Appointments/Review.cshtml
+++ b/FIT5032-Assignment/Views/Appointments/Review.cshtml
@@ -12,7 +12,7 @@
 
 <h2>Rate the experience</h2>
 
-@if (ViewBag.role == 1) {
+@if (ViewBag.role == 1 && ViewBag.reviewAvailable == false) {
   <p>You are about to review the Doctor <b>@ViewBag.doctorUser.displayName</b></p>
   <form method="post">
     <input type="hidden" id="appointment" name="appointment" required value="@ViewBag.appointment.uuid" />
@@ -38,6 +38,22 @@
     </div>
     <button class="btn btn-primary" type="submit">Submit</button>
   </form>
+} else {
+  if (ViewBag.reviewAvailable == false) {
+    <p>Review not available yet.</p>
+  } else {
+    <div class="review">
+      <div><img src="@ViewBag.patient.avatar" style="width: 30px; border-radius: 50%; margin-right: 10px;" /><b>@ViewBag.patient.displayName</b> already reviewed this appointment.</div>
+      <div>
+        @if (ViewBag.review.score == 1) {
+          <span style="color: green;"><span class="material-symbols-outlined">thumb_up</span> <b>Recommended</b></span>
+        } else {
+          <span style="color: red;"><span class="material-symbols-outlined">thumb_down</span> <b>Not Recommended</b></span>
+        }
+        <span>@ViewBag.review.comment</span>
+      </div>
+    </div>
+  }
 }
 
 @section Scripts {
@@ -50,6 +66,13 @@
     textarea {
       width: 100%;
     }
+
+    .review {
+      display: flex;
+      flex-direction: column;
+      /* Spacing between elements inside .review */
+      gap: 10px;
+    }
   </style>
   <script>
     function rate(score) {