chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20835] improve security

Browse Source 
improve form consistency
improve form layout
project description no longer a required field
skala
Patrick Cool 17 years ago
parent 0efd0e1ea2
commit 050d066149
2 changed files with 19 additions and 20 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 19
      main/blog/blog_admin.php
  2. 20
      main/inc/lib/blog.lib.php

19
main/blog/blog_admin.php
Unescape View File

@ -89,15 +89,15 @@ if (api_is_allowed_to_edit())
$get_blog_subtitle = Security::remove_XSS($_POST['blog_subtitle']); $get_blog_subtitle = Security::remove_XSS($_POST['blog_subtitle']);
$get_blog_id = Security::remove_XSS($_POST['blog_id']); $get_blog_id = Security::remove_XSS($_POST['blog_id']);
if (!empty($_POST['new_blog_submit']) AND !empty($_POST['blog_name']) AND !empty($_POST['blog_subtitle'])) { if (!empty($_POST['new_blog_submit']) AND !empty($_POST['blog_name'])) {
if (strlen(trim($_POST['blog_name']))>0 && strlen(trim($_POST['blog_subtitle']))>0) { if (strlen(trim($_POST['blog_name']))>0) {
Blog::create_blog($get_blog_name,$get_blog_subtitle); Blog::create_blog($get_blog_name,$get_blog_subtitle);
Display::display_confirmation_message(get_lang('BlogStored')); Display::display_confirmation_message(get_lang('BlogStored'));
} }
} }
if (!empty($_POST['edit_blog_submit']) AND !empty($_POST['blog_name']) AND !empty($_POST['blog_subtitle'])) { if (!empty($_POST['edit_blog_submit']) AND !empty($_POST['blog_name'])) {
if (strlen(trim($_POST['blog_name']))>0 && strlen(trim($_POST['blog_subtitle']))>0) { if (strlen(trim($_POST['blog_name']))>0) {
Blog::edit_blog($get_blog_id,$get_blog_name,$get_blog_subtitle); Blog::edit_blog($get_blog_id,$get_blog_name,$get_blog_subtitle);
Display::display_confirmation_message(get_lang('BlogEdited')); Display::display_confirmation_message(get_lang('BlogEdited'));
} }
@ -123,14 +123,13 @@ if (api_is_allowed_to_edit())
if (isset($_GET['action']) && $_GET['action'] == 'add') { if (isset($_GET['action']) && $_GET['action'] == 'add') {
// we show the form if // we show the form if
// 1. no post data // 1. no post data
// 2. there is post data and one of the three form elements is empty // 2. there is post data and one of the required form elements is empty
if (!$_POST OR (!empty($_POST) AND (empty($_POST['Submit']) OR empty($_POST['blog_name']) OR empty($_POST['blog_subtitle'])))) { if (!$_POST OR (!empty($_POST) AND (empty($_POST['new_blog_submit']) OR empty($_POST['blog_name'])))) {
// if there is post data there is certainly an error in the form // if there is post data there is certainly an error in the form
/*if ($_POST){ /*if ($_POST){
Display::display_error_message(get_lang('FormHasErrorsPleaseComplete')); Display::display_error_message(get_lang('FormHasErrorsPleaseComplete'));
}*/ }*/
if (strlen($_POST['blog_name'])==0) {
if (strlen($_POST['blog_name'])==0 || strlen($_POST['blog_subtitle'])==0 ) {
if (count($_POST)>0) { if (count($_POST)>0) {
Display::display_error_message(get_lang('FormHasErrorsPleaseComplete')); Display::display_error_message(get_lang('FormHasErrorsPleaseComplete'));
} }
@ -139,13 +138,13 @@ if (api_is_allowed_to_edit())
} }
Blog::display_new_blog_form(); Blog::display_new_blog_form();
} }
} }
if (isset($_GET['action']) && $_GET['action'] == 'edit') { if (isset($_GET['action']) && $_GET['action'] == 'edit') {
// we show the form if // we show the form if
// 1. no post data // 1. no post data
// 2. there is post data and one of the three form elements is empty // 2. there is post data and one of the three form elements is empty
if (!$_POST OR (!empty($_POST) AND (empty($_POST['edit_blog_submit']) OR empty($_POST['blog_name']) OR empty($_POST['blog_subtitle'])))) if (!$_POST OR (!empty($_POST) AND (empty($_POST['edit_blog_submit']) OR empty($_POST['blog_name']) )))
{ {
// if there is post data there is certainly an error in the form // if there is post data there is certainly an error in the form
if ($_POST) { if ($_POST) {

20
main/inc/lib/blog.lib.php
Unescape View File

@ -141,7 +141,7 @@ class Blog
$tbl_blogs_tasks = Database::get_course_table(TABLE_BLOGS_TASKS); $tbl_blogs_tasks = Database::get_course_table(TABLE_BLOGS_TASKS);
//verified if exist blog //verified if exist blog
$sql='SELECT COUNT(*) as count FROM '.$tbl_blogs.' WHERE blog_name="'.$title.'" AND blog_subtitle="'.$subtitle.'";'; $sql='SELECT COUNT(*) as count FROM '.$tbl_blogs.' WHERE blog_name="'.Database::escape_string($title).'" AND blog_subtitle="'.Database::escape_string($subtitle).'";';
$res=Database::query($sql,__FILE__,__LINE__); $res=Database::query($sql,__FILE__,__LINE__);
$info_count=Database::result($res,0,0); $info_count=Database::result($res,0,0);
if ($info_count==0) { if ($info_count==0) {
@ -1326,7 +1326,7 @@ class Blog
// article text // article text
$oFCKeditor = new FCKeditor('post_full_text') ; $oFCKeditor = new FCKeditor('post_full_text') ;
$oFCKeditor->Width = '100%'; $oFCKeditor->Width = '100%';
$oFCKeditor->Height = '400'; $oFCKeditor->Height = '200';
if(!api_is_allowed_to_edit()) { if(!api_is_allowed_to_edit()) {
$oFCKeditor->ToolbarSet = 'Blog_Student'; $oFCKeditor->ToolbarSet = 'Blog_Student';
} else { } else {
@ -1426,7 +1426,7 @@ class Blog
$oFCKeditor = new FCKeditor('post_full_text') ; $oFCKeditor = new FCKeditor('post_full_text') ;
$oFCKeditor->Width = '100%'; $oFCKeditor->Width = '100%';
$oFCKeditor->Height = '400'; $oFCKeditor->Height = '200';
if(!api_is_allowed_to_edit()) if(!api_is_allowed_to_edit())
{ {
@ -2522,7 +2522,7 @@ class Blog
// comment text // comment text
$oFCKeditor = new FCKeditor('comment_text') ; $oFCKeditor = new FCKeditor('comment_text') ;
$oFCKeditor->Width = '100%'; $oFCKeditor->Width = '100%';
$oFCKeditor->Height = '300'; $oFCKeditor->Height = '200';
if(!api_is_allowed_to_edit()) if(!api_is_allowed_to_edit())
{ {
$oFCKeditor->ToolbarSet = 'BlogComment_Student'; $oFCKeditor->ToolbarSet = 'BlogComment_Student';
@ -2769,16 +2769,16 @@ class Blog
<span class="form_required">*</span>' . get_lang('Title') . ' <span class="form_required">*</span>' . get_lang('Title') . '
</div> </div>
<div class="formw"> <div class="formw">
<input name="blog_name" type="text" size="100" value="'.Security::remove_XSS($_POST['blog_name']).'" /> <input name="blog_name" type="text" size="50" value="'.Security::remove_XSS($_POST['blog_name']).'" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="label"> <div class="label">
<span class="form_required">*</span>' . get_lang('Subtitle') . ' ' . get_lang('Subtitle') . '
</div> </div>
<div class="formw"> <div class="formw">
<input name="blog_subtitle" type="text" size="100" value="'.Security::remove_XSS($_POST['blog_subtitle']).'"/> <input name="blog_subtitle" type="text" size="50" value="'.Security::remove_XSS($_POST['blog_subtitle']).'"/>
</div> </div>
</div> </div>
@ -2828,16 +2828,16 @@ class Blog
<span class="form_required">*</span>' . get_lang('Title') . ' <span class="form_required">*</span>' . get_lang('Title') . '
</div> </div>
<div class="formw"> <div class="formw">
<input name="blog_name" type="text" size="100" value="' . $blog['blog_name'] . '" /> <input name="blog_name" type="text" size="50" value="' . $blog['blog_name'] . '" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="label"> <div class="label">
<span class="form_required">*</span>' . get_lang('Subtitle') . ' ' . get_lang('Subtitle') . '
</div> </div>
<div class="formw"> <div class="formw">
<input name="blog_subtitle" type="text" size="100" value="' . $blog['blog_subtitle'] . '" /> <input name="blog_subtitle" type="text" size="50" value="' . $blog['blog_subtitle'] . '" />
</div> </div>
</div> </div>

Write Preview
Loading…
Cancel
Save