View the review

2023-10-19 16:16:12 +11:00 · 2023-10-19 16:16:12 +11:00 · 3e0414ad1a
commit 3e0414ad1a
parent 9654264773
2 changed files with 34 additions and 2 deletions
--- a/FIT5032-Assignment/Controllers/AppointmentsController.cs
+++ b/FIT5032-Assignment/Controllers/AppointmentsController.cs
@ -695,6 +695,15 @@ namespace FIT5032_Assignment.Controllers {
        return Redirect("/Appointments/Index");
      }

+      // Prevent XSS attack
+      // Replace with &lt; and &gt;
+      var comment = collection["comment"];
+      comment = comment.Replace("<", "&lt;");
+      comment = comment.Replace(">", "&gt;");
+
+      // Prevent SQL injection
+      comment = comment.Replace("'", "''");
+
      // Create review
      var uuid = Guid.NewGuid().ToString();
      Reviews newReview = new Reviews {
@ -702,7 +711,7 @@ namespace FIT5032_Assignment.Controllers {
        patient = userProfile.uuid,
        doctor = appointment.responsibleBy,
        score = Convert.ToInt32(collection["score"]),
-        comment = collection["comment"],
+        comment = comment,
        reviewAt = DateTime.Now,
      };
      db.Reviews.Add(newReview);
--- a/FIT5032-Assignment/Views/Appointments/Review.cshtml
+++ b/FIT5032-Assignment/Views/Appointments/Review.cshtml
@ -12,7 +12,7 @@

 <h2>Rate the experience</h2>

-@if (ViewBag.role == 1) {
+@if (ViewBag.role == 1 && ViewBag.reviewAvailable == false) {
  <p>You are about to review the Doctor <b>@ViewBag.doctorUser.displayName</b></p>
  <form method="post">
    <input type="hidden" id="appointment" name="appointment" required value="@ViewBag.appointment.uuid" />
@ -38,6 +38,22 @@
    </div>
    <button class="btn btn-primary" type="submit">Submit</button>
  </form>
+} else {
+  if (ViewBag.reviewAvailable == false) {
+    <p>Review not available yet.</p>
+  } else {
+    <div class="review">
+      <div><img src="@ViewBag.patient.avatar" style="width: 30px; border-radius: 50%; margin-right: 10px;" /><b>@ViewBag.patient.displayName</b> already reviewed this appointment.</div>
+      <div>
+        @if (ViewBag.review.score == 1) {
+          <span style="color: green;"><span class="material-symbols-outlined">thumb_up</span> <b>Recommended</b></span>
+        } else {
+          <span style="color: red;"><span class="material-symbols-outlined">thumb_down</span> <b>Not Recommended</b></span>
+        }
+        <span>@ViewBag.review.comment</span>
+      </div>
+    </div>
+  }
 }

@section Scripts {
@ -50,6 +66,13 @@
    textarea {
      width: 100%;
    }
+
+    .review {
+      display: flex;
+      flex-direction: column;
+      /* Spacing between elements inside .review */
+      gap: 10px;
+    }
  </style>
  <script>
    function rate(score) {