chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r13295] Fix encoding problem by using $charset inside calls to htmlentities() and htmlspecialchars

Browse Source
skala
Yannick Warnier 18 years ago
parent 33b87d2fc8
commit 06ec857bd1
8 changed files with 34 additions and 25 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      main/admin/course_category.php
  2. 4
      main/inc/header.inc.php
  3. 2
      main/inc/introductionSection.inc.php
  4. 20
      main/inc/lib/blog.lib.php
  5. 15
      main/inc/lib/display.lib.php
  6. 3
      main/inc/lib/security.lib.php
  7. 3
      main/inc/lib/sortabletable.class.php
  8. 4
      main/inc/reduced_header.inc.php

8
main/admin/course_category.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: course_category.php 12269 2007-05-03 14:17:37Z elixir_julian $
<?php // $Id: course_category.php 13295 2007-09-27 02:16:44Z yannoo $
/*
==============================================================================
Dokeos - elearning and course management software
@ -163,11 +163,11 @@ if(!empty($errorMsg))
<tr>
<td nowrap="nowrap"><?php echo get_lang("CategoryCode"); ?> :</td>
<td><input type="text" name="categoryCode" size="20" maxlength="20" value="<?php echo htmlentities(stripslashes($categoryCode)); ?>" /></td>
<td><input type="text" name="categoryCode" size="20" maxlength="20" value="<?php echo htmlentities(stripslashes($categoryCode),ENT_QUOTES,$charset); ?>" /></td>
</tr>
<tr>
<td nowrap="nowrap"><?php echo get_lang("CategoryName"); ?> :</td>
<td><input type="text" name="categoryName" size="20" maxlength="100" value="<?php echo htmlentities(stripslashes($categoryName)); ?>" /></td>
<td><input type="text" name="categoryName" size="20" maxlength="100" value="<?php echo htmlentities(stripslashes($categoryName),ENT_QUOTES,$charset); ?>" /></td>
</tr>
<tr>
<td nowrap="nowrap"><?php echo get_lang("AllowCoursesInCategory"); ?></td>
@ -201,7 +201,7 @@ else
<li>
<a href="<?php echo api_get_self(); ?>?category=<?php echo urlencode($enreg['code']); ?>"><img src="../img/folder_document.gif" border="0" title="<?php echo get_lang("OpenNode"); ?>" alt="" align="absbottom" /></a>
<a href="<?php echo api_get_self(); ?>?category=<?php echo urlencode($category); ?>&amp;action=edit&amp;id=<?php echo urlencode($enreg['code']); ?>"><img src="../img/edit.gif" border="0" title="<?php echo get_lang("EditNode"); ?>" alt ="" /></a>
<a href="<?php echo api_get_self(); ?>?category=<?php echo urlencode($category); ?>&amp;action=delete&amp;id=<?php echo urlencode($enreg['code']); ?>" onclick="javascript:if(!confirm('<?php echo addslashes(htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;"><img src="../img/delete.gif" border="0" title="<?php echo get_lang("DeleteNode"); ?>" alt="" /></a>
<a href="<?php echo api_get_self(); ?>?category=<?php echo urlencode($category); ?>&amp;action=delete&amp;id=<?php echo urlencode($enreg['code']); ?>" onclick="javascript:if(!confirm('<?php echo addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset)); ?>')) return false;"><img src="../img/delete.gif" border="0" title="<?php echo get_lang("DeleteNode"); ?>" alt="" /></a>
<a href="<?php echo api_get_self(); ?>?category=<?php echo urlencode($category); ?>&amp;action=moveUp&amp;id=<?php echo urlencode($enreg['code']); ?>&amp;tree_pos=<?php echo $enreg['tree_pos']; ?>"><img src="../img/up.gif" border="0" title="<?php echo get_lang("UpInSameLevel"); ?>" alt="" /></a>
<?php echo $enreg['name']; ?>
(<?php echo $enreg['children_count']; ?> <?php echo get_lang("Categories"); ?> - <?php echo $enreg['nbr_courses']; ?> <?php echo get_lang("Courses"); ?>)

4
main/inc/header.inc.php
Unescape View File

@ -90,8 +90,8 @@ echo '@import "'.$my_code_path.'css/'.$my_style.'/course.css";'."\n";
</style>
<link rel="top" href="<?php echo api_get_path(WEB_PATH); ?>index.php" title="" />
<link rel="courses" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/courses.php" title="<?php echo htmlentities(get_lang('OtherCourses')); ?>" />
<link rel="profil" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/profile.php" title="<?php echo htmlentities(get_lang('ModifyProfile')); ?>" />
<link rel="courses" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/courses.php" title="<?php echo htmlentities(get_lang('OtherCourses'),ENT_QUOTES,$charset); ?>" />
<link rel="profil" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/profile.php" title="<?php echo htmlentities(get_lang('ModifyProfile'),ENT_QUOTES,$charset); ?>" />
<link href="http://www.dokeos.com/documentation.php" rel="Help" />
<link href="http://www.dokeos.com/team.php" rel="Author" />
<link href="http://www.dokeos.com" rel="Copyright" />

2
main/inc/introductionSection.inc.php
Unescape View File

@ -178,7 +178,7 @@ if ($intro_dispCommand)
{
echo "<div id=\"courseintro_icons\"><p>\n",
"<a href=\"".api_get_self()."?intro_cmdEdit=1\"><img src=\"" . api_get_path(WEB_CODE_PATH) . "img/edit.gif\" alt=\"",get_lang('Modify'),"\" border=\"0\" /></a>\n",
"<a href=\"".api_get_self()."?intro_cmdDel=1\" onclick=\"javascript:if(!confirm('".addslashes(htmlentities(get_lang('ConfirmYourChoice')))."')) return false;\"><img src=\"" . api_get_path(WEB_CODE_PATH) . "img/delete.gif\" alt=\"",get_lang('Delete'),"\" border=\"0\" /></a>\n",
"<a href=\"".api_get_self()."?intro_cmdDel=1\" onclick=\"javascript:if(!confirm('".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."')) return false;\"><img src=\"" . api_get_path(WEB_CODE_PATH) . "img/delete.gif\" alt=\"",get_lang('Delete'),"\" border=\"0\" /></a>\n",
"</p>\n</div>";
}
}

20
main/inc/lib/blog.lib.php
Unescape View File

@ -814,7 +814,7 @@ class Blog
$tbl_blogs_comments = Database::get_course_table(TABLE_BLOGS_COMMENTS);
$tbl_users = Database::get_main_table(TABLE_MAIN_USER);
global $dateFormatLong;
global $charset,$dateFormatLong;
// Get posts and author
$sql = "SELECT post.*, user.lastname, user.firstname FROM $tbl_blogs_posts post
@ -842,7 +842,7 @@ class Blog
$blog_post_actions .= '<a href="blog.php?action=edit_post&amp;blog_id=' . $blog_id . '&amp;post_id=' . $post_id . '&amp;article_id=' . $blog_post['post_id'] . '&amp;task_id=' . $task_id . '" title="' . get_lang('EditThisPost') . '"><img src="../img/edit.gif" /></a>';
if(api_is_allowed('BLOG_' . $blog_id, 'article_delete', $task_id))
$blog_post_actions .= '<a href="blog.php?action=view_post&amp;blog_id=' . $blog_id . '&amp;post_id=' . $post_id . '&amp;do=delete_article&amp;article_id=' . $blog_post['post_id'] . '&amp;task_id=' . $task_id . '" title="' . get_lang('DeleteThisArticle') . '" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"))). '\')) return false;"><img src="../img/delete.gif" border="0" /></a>';
$blog_post_actions .= '<a href="blog.php?action=view_post&amp;blog_id=' . $blog_id . '&amp;post_id=' . $post_id . '&amp;do=delete_article&amp;article_id=' . $blog_post['post_id'] . '&amp;task_id=' . $task_id . '" title="' . get_lang('DeleteThisArticle') . '" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)). '\')) return false;"><img src="../img/delete.gif" border="0" /></a>';
if(api_is_allowed('BLOG_' . $blog_id, 'article_rate'))
$rating_select = Blog::display_rating_form('post',$blog_id,$post_id);
@ -995,7 +995,7 @@ class Blog
$tbl_blogs_comments = Database::get_course_table(TABLE_BLOGS_COMMENTS);
$tbl_users = Database::get_main_table(TABLE_MAIN_USER);
$tbl_blogs_tasks = Database::get_course_table(TABLE_BLOGS_TASKS);
global $dateFormatLong;
global $charset,$dateFormatLong;
// Select top level comments
$next_level = $current_level + 1;
@ -1026,7 +1026,7 @@ class Blog
$blog_comment_date = ucfirst(format_locale_date($dateFormatLong,strtotime($comment['date_creation'])));
$blog_comment_time = date('H:i',strtotime($comment['date_creation']));
$blog_comment_actions = "";
if(api_is_allowed('BLOG_' . $blog_id, 'article_comments_delete', $task_id)) { $blog_comment_actions .= '<a href="blog.php?action=view_post&amp;blog_id=' . $blog_id . '&amp;post_id=' . $post_id . '&amp;do=delete_comment&amp;comment_id=' . $comment['comment_id'] . '&amp;task_id=' . $task_id . '" title="' . get_lang('DeleteThisComment') . '" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"))). '\')) return false;"><img src="../img/delete.gif" border="0" /></a>'; }
if(api_is_allowed('BLOG_' . $blog_id, 'article_comments_delete', $task_id)) { $blog_comment_actions .= '<a href="blog.php?action=view_post&amp;blog_id=' . $blog_id . '&amp;post_id=' . $post_id . '&amp;do=delete_comment&amp;comment_id=' . $comment['comment_id'] . '&amp;task_id=' . $task_id . '" title="' . get_lang('DeleteThisComment') . '" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)). '\')) return false;"><img src="../img/delete.gif" border="0" /></a>'; }
if(api_is_allowed('BLOG_' . $blog_id, 'article_comments_rate')) { $rating_select = Blog::display_rating_form('comment', $blog_id, $post_id, $comment['comment_id']); }
if(!is_null($comment['task_id']))
@ -1258,6 +1258,7 @@ class Blog
*/
function display_task_list($blog_id)
{
global $charset;
if(api_is_allowed('BLOG_' . $blog_id, 'article_add'))
{
// Init
@ -1301,7 +1302,7 @@ class Blog
$delete_icon = ($task['system_task'] == '1') ? "delete_na.gif" : "delete.gif";
$delete_title = ($task['system_task'] == '1') ? get_lang('DeleteSystemTask') : get_lang('DeleteTask');
$delete_link = ($task['system_task'] == '1') ? '#' : api_get_self() . '?action=manage_tasks&amp;blog_id=' . $task['blog_id'] . '&amp;do=delete&amp;task_id=' . $task['task_id'];
$delete_confirm = ($task['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"))). '\')) return false;"';
$delete_confirm = ($task['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)). '\')) return false;"';
echo '<tr class="' . $css_class . '" valign="top">',
'<td width="240">' . stripslashes($task['title']) . '</td>',
@ -1335,7 +1336,7 @@ class Blog
$tbl_blogs_tasks = Database::get_course_table(TABLE_BLOGS_TASKS);
$tbl_blogs_tasks_rel_user = Database::get_course_table(TABLE_BLOGS_TASKS_REL_USER);
$counter = 0;
global $color2;
global $charset,$color2;
echo '<span class="blogpost_title">' . get_lang('AssignedTasks') . '</span><br />';
echo "<table class=\"data_table\">";
@ -1362,7 +1363,7 @@ class Blog
$delete_icon = ($task['system_task'] == '1') ? "delete_na.gif" : "delete.gif";
$delete_title = ($task['system_task'] == '1') ? get_lang('DeleteSystemTask') : get_lang('DeleteTask');
$delete_link = ($task['system_task'] == '1') ? '#' : api_get_self() . '?action=manage_tasks&amp;blog_id=' . $task['blog_id'] . '&amp;do=delete&amp;task_id=' . $task['task_id'];
$delete_confirm = ($task['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"))). '\')) return false;"';
$delete_confirm = ($task['system_task'] == '1') ? '' : 'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)). '\')) return false;"';
echo '<tr class="' . $css_class . '" valign="top">',
'<td width="240">' . $assignment['firstname'] . ' ' . $assignment['lastname'] . '</td>',
@ -1374,7 +1375,7 @@ class Blog
'<img src="../img/edit.gif" border="0" title="' . get_lang('EditTask') . '" />',
"</a>\n",
'<a href="' .api_get_self(). '?action=manage_tasks&amp;blog_id=' . $assignment['blog_id'] . '&amp;do=delete_assignment&amp;assignment_id=' . $assignment['task_id'] . '|' . $assignment['user_id'] . '" ',
'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"))). '\')) return false;"',
'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)). '\')) return false;"',
'<img src="../img/' . $delete_icon . '" border="0" title="' . $delete_title . '" />',
"</a>\n",
'</td>',
@ -2532,6 +2533,7 @@ class Blog
*/
function display_blog_list()
{
global $charset;
// Init
$counter = 0;
$tbl_blogs = Database::get_course_table(TABLE_BLOGS);
@ -2556,7 +2558,7 @@ class Blog
'<img src="../img/edit.gif" border="0" title="' . get_lang('EditBlog') . '" />',
"</a>\n",
'<a href="' .api_get_self(). '?action=delete&amp;blog_id=' . $blog['blog_id'] . '" ',
'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"))). '\')) return false;"',
'onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)). '\')) return false;"',
'<img src="../img/delete.gif" border="0" title="' . get_lang('DeleteBlog') . '" />',
"</a>\n",
'<a href="' .api_get_self(). '?action=visibility&amp;blog_id=' . $blog['blog_id'] . '">',

15
main/inc/lib/display.lib.php
Unescape View File

@ -304,10 +304,11 @@ class Display {
*/
function display_normal_message($message,$filter=true)
{
global $charset;
if($filter)
{
//filter message
$message = htmlentities($message);
$message = htmlentities($message,ENT_QUOTES,$charset);
}
if (!headers_sent())
{
@ -334,9 +335,10 @@ class Display {
*/
function display_warning_message($message,$filter=true)
{
global $charset;
if($filter){
//filter message
$message = htmlentities($message);
$message = htmlentities($message,ENT_QUOTES,$charset);
}
if (!headers_sent())
{
@ -362,9 +364,10 @@ class Display {
*/
function display_confirmation_message($message,$filter=true)
{
global $charset;
if($filter){
//filter message
$message = htmlentities($message);
$message = htmlentities($message,ENT_QUOTES,$charset);
}
if (!headers_sent())
{
@ -393,9 +396,10 @@ class Display {
*/
function display_error_message($message,$filter=true)
{
global $charset;
if($filter){
//filter message
$message = htmlentities($message);
$message = htmlentities($message,ENT_QUOTES,$charset);
}
if (!headers_sent())
@ -421,6 +425,7 @@ class Display {
*/
function encrypted_mailto_link($email, $clickable_text = null, $style_class = '')
{
global $charset;
if (is_null($clickable_text))
{
$clickable_text = $email;
@ -448,7 +453,7 @@ class Display {
}
else
{
$hclickable_text = htmlspecialchars($clickable_text);
$hclickable_text = htmlspecialchars($clickable_text,ENT_QUOTES,$charset);
}
//return encrypted mailto hyperlink

3
main/inc/lib/security.lib.php
Unescape View File

@ -250,7 +250,8 @@ class Security{
*/
function remove_XSS($var)
{
return htmlentities($var);
global $charset;
return htmlentities($var,ENT_QUOTES,$charset);
}
}
?>

3
main/inc/lib/sortabletable.class.php
Unescape View File

@ -192,6 +192,7 @@ class SortableTable extends HTML_Table
*/
function display()
{
global $charset;
$empty_table = false;
if ($this->get_total_number_of_items() == 0)
{
@ -252,7 +253,7 @@ class SortableTable extends HTML_Table
$html .= '<option value="'.$action.'">'.$label.'</option>';
}
$html .= '</select>';
$html .= '<input type="submit" value="'.get_lang('Ok').'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmYourChoice")))."'".')) return false;"/>';
$html .= '<input type="submit" value="'.get_lang('Ok').'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset))."'".')) return false;"/>';
}
else
{

4
main/inc/reduced_header.inc.php
Unescape View File

@ -83,8 +83,8 @@ if($style<>'')
?>
<link rel="top" href="<?php echo api_get_path(WEB_PATH); ?>index.php" title="" />
<link rel="courses" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/courses.php" title="<?php echo htmlentities(get_lang('OtherCourses')); ?>" />
<link rel="profil" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/profile.php" title="<?php echo htmlentities(get_lang('ModifyProfile')); ?>" />
<link rel="courses" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/courses.php" title="<?php echo htmlentities(get_lang('OtherCourses'),ENT_QUOTES,$charset); ?>" />
<link rel="profil" href="<?php echo api_get_path(WEB_CODE_PATH) ?>auth/profile.php" title="<?php echo htmlentities(get_lang('ModifyProfile'),ENT_QUOTES,$charset); ?>" />
<link href="http://www.dokeos.com/documentation.php" rel="Help" />
<link href="http://www.dokeos.com/team.php" rel="Author" />
<link href="http://www.dokeos.com" rel="Copyright" />

Write Preview
Loading…
Cancel
Save