diff --git a/main/announcements/announcements.inc.php b/main/announcements/announcements.inc.php
index f35afe55b9..bfd14641af 100644
--- a/main/announcements/announcements.inc.php
+++ b/main/announcements/announcements.inc.php
@@ -792,8 +792,8 @@ function store_advalvas_item($emailTitle, $newContent, $order, $to, $file_commen
$tbl_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
// filter data
- $emailTitle = Database::escape_string(Security::remove_XSS($emailTitle));
- $newContent = Database::escape_string(Security::remove_XSS($newContent,COURSEMANAGERLOWSECURITY));
+ $emailTitle = Database::escape_string($emailTitle);
+ $newContent = Database::escape_string($newContent);
$order = intval($order);
// store in the table announcement
@@ -848,8 +848,8 @@ function store_advalvas_group_item($emailTitle,$newContent, $order, $to, $to_use
$tbl_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
$newContent=stripslashes($newContent);
- $emailTitle = Database::escape_string(Security::remove_XSS($emailTitle));
- $newContent = Database::escape_string(Security::remove_XSS($newContent,COURSEMANAGERLOWSECURITY));
+ $emailTitle = Database::escape_string($emailTitle);
+ $newContent = Database::escape_string($newContent,COURSEMANAGERLOWSECURITY);
$order = intval($order);
// store in the table announcement
@@ -911,8 +911,8 @@ function edit_advalvas_item($id,$emailTitle,$newContent,$to, $file_comment='')
global $tbl_item_property;
$newContent=stripslashes($newContent);
- $emailTitle = Database::escape_string(Security::remove_XSS($emailTitle));
- $newContent = Database::escape_string(Security::remove_XSS($newContent,COURSEMANAGERLOWSECURITY));
+ $emailTitle = Database::escape_string($emailTitle);
+ $newContent = Database::escape_string($newContent,COURSEMANAGERLOWSECURITY);
$order = intval($order);
// store the modifications in the table announcement
diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php
index cc1a7af08f..c530a0ad67 100644
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@@ -135,8 +135,8 @@ require_once($lib.'fileUpload.lib.php');
-----------------------------------------------------------
*/
-$safe_emailTitle = Security::remove_XSS($_POST['emailTitle']);
-$safe_newContent = Security::remove_XSS($_POST['newContent']);
+$safe_emailTitle = $_POST['emailTitle'];
+$safe_newContent = $_POST['newContent'];
if (!empty($_POST['To']))
{
@@ -718,16 +718,23 @@ if (api_is_allowed_to_edit(false,true) OR (api_get_course_setting('allow_user_ed
//set the charset and use it for the encoding of the email - small fix, not really clean (should check the content encoding origin first)
//here we use the encoding used for the webpage where the text is encoded (ISO-8859-1 in this case)
-
- //$to_email_address =$_POST['emailsAdd'];
- //$mail_body;
- $headers = array();
- if (empty($charset)) { $charset='ISO-8859-1';}
- $headers['Content-Type'] = 'text/html';
- $headers['charset'] = $charset;
- $mailid=$myrow["email"];
-
- $newmail = api_mail_html(api_get_person_name($myrow["lastname"], $myrow["firstname"], null, PERSON_NAME_EMAIL_ADDRESS), $myrow["email"], stripslashes($emailSubject), $mail_body, api_get_person_name($_SESSION['_user']['lastName'], $_SESSION['_user']['firstName'], null, PERSON_NAME_EMAIL_ADDRESS), $_SESSION['_user']['mail'],$headers);
+
+ $recipient_name = api_get_person_name($myrow["lastname"], $myrow["firstname"], null, PERSON_NAME_EMAIL_ADDRESS);
+ $mailid = $myrow["email"];
+ $sender_name = api_get_person_name($_SESSION['_user']['lastName'], $_SESSION['_user']['firstName'], null, PERSON_NAME_EMAIL_ADDRESS);
+ $sender_email = $_SESSION['_user']['mail'];
+ $data_file = array();
+ if (!empty($_FILES['user_upload'])) {
+ $courseDir = $_course['path'].'/upload/announcements/';
+ $sys_course_path = api_get_path(SYS_COURSE_PATH);
+ $sql = 'SELECT path, filename FROM '.$tbl_announcement_attachment.'
+ WHERE announcement_id = "'.$insert_id.'"';
+ $result = Database::query($sql, __FILE__, __LINE__);
+ $row = Database::fetch_array($result);
+ $data_file = array('path' => $sys_course_path.$courseDir.$row['path'],
+ 'filename' => $row['filename']);
+ }
+ api_mail_html($recipient_name, $mailid, stripslashes($emailSubject), $mail_body, $sender_name, $sender_email, null, $data_file);
}
$sql_date="SELECT * FROM $db_name WHERE survey_id='$surveyid'";
diff --git a/main/inc/lib/mail.lib.inc.php b/main/inc/lib/mail.lib.inc.php
index 466bd53a38..05ed74e441 100644
--- a/main/inc/lib/mail.lib.inc.php
+++ b/main/inc/lib/mail.lib.inc.php
@@ -110,11 +110,13 @@ function api_mail($recipient_name, $recipient_email, $subject, $message, $sender
* @param string sender name
* @param string sender e-mail
* @param array extra headers in form $headers = array($name => $value) to allow parsing
+ * @param array data file (path and filename)
* @return returns true if mail was sent
* @see class.phpmailer.php
*/
-function api_mail_html($recipient_name, $recipient_email, $subject, $message, $sender_name="", $sender_email="", $extra_headers=null) {
+function api_mail_html($recipient_name, $recipient_email, $subject, $message, $sender_name = "", $sender_email = "", $extra_headers = null, $data_file = array()) {
+
global $regexp;
global $platform_email;
@@ -164,9 +166,14 @@ function api_mail_html($recipient_name, $recipient_email, $subject, $message, $s
{
$mail->FromName = $platform_email['SMTP_FROM_NAME'];
}
- $mail->Subject = $subject;
- $mail->AltBody = strip_tags(str_replace('
',"\n",$message));
- $mail->Body = ''.$message.'';
+ $mail->Subject = $subject;
+ $mail->AltBody = strip_tags(str_replace('
',"\n", api_html_entity_decode($message)));
+ $mail->Body = ''.$message.'';
+ // attachment ...
+ if (!empty($data_file)) {
+ $mail->AddAttachment($data_file['path'], $data_file['filename']);
+ }
+
//only valid address
if(is_array($recipient_email))
{