vérifie un peu mieux les entrées

index.php

@@ -8,9 +8,9 @@ define('DATA_FILE', __DIR__ . DIRECTORY_SEPARATOR . 'data.php');
 if (file_exists(CONFIG_FILE)) require_once CONFIG_FILE;
 if (!isset($config)) $config = [];
 
-$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
+$action = (isset($_REQUEST['action']) and preg_match('/^[a-z]{1,16}$/i', $_REQUEST['action'])) ? $_REQUEST['action'] : null;
 
-$hasSupplier = isset($_REQUEST['supplier']) and !empty($_REQUEST['supplier']);
+$hasSupplier = isset($_REQUEST['supplier']) and !empty($_REQUEST['supplier']) and preg_match('/^[A-Za-z]\w{0,31}$/', $_REQUEST['supplier']);
 $supplier = $_REQUEST['supplier'];
 
 if ($hasSupplier) {
@@ -52,7 +52,7 @@ if ($hasSupplier) {
 
 		foreach (array_keys($config[$supplier]) as $key)
 			if (isset($_REQUEST[$key]))
-				$config[$supplier][$key] = $_REQUEST[$key];
+				$config[$supplier][$key] = (!in_array($key, ['title', 'description']) ? filter_var($_REQUEST[$key], FILTER_SANITIZE_STRING) : $_REQUEST[$key]);
 	}
 
 	if (empty($config[$supplier]['start']))
@@ -93,7 +93,15 @@ if ($action === 'config') {
 	$isConfig = true;
 }
 
-$hasEvent = isset($_REQUEST['event']);
+try {
+	$hasEvent = (
+		isset($_REQUEST['event'])
+		and preg_match('/^\d{4}\-[01]\d\-[0123]\d$/', $_REQUEST['event'])
+		and ((new \DateTimeImmutable($_REQUEST['event'])) instanceof \DateTimeImmutable)
+	);
+} catch (\Exception $exception) {
+	$hasEvent = false;
+}
 if (!$isConfig and $hasSupplier) {
 	$start = new \DateTime($config[$supplier]['start']);
 	if (!$hasEvent) {
@@ -133,7 +141,7 @@ if (!$isConfig and $hasSupplier) {
 			fwrite($output, '<?php' . PHP_EOL);
 		$item = [];
 		foreach (['name', 'choice', 'action'] as $field)
-			$item[$field] = $_REQUEST[$field];
+			$item[$field] = filter_var($_REQUEST[$field], FILTER_SANITIZE_STRING);
 		$item['timestamp'] = time();
 		$item['hash'] = md5(implode([ $item['name'], $item['choice'], ]));
 		fprintf(