chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Adding remove_XSS function see #6715

Browse Source
1.9.x
Julio Montoya 11 years ago
parent e151f6b7f3
commit 0a263121d2
3 changed files with 37 additions and 16 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 12
      plugin/ticket/src/myticket.php
  2. 25
      plugin/ticket/src/new_ticket.php
  3. 16
      plugin/ticket/src/send_ticket.php

12
plugin/ticket/src/myticket.php
Unescape View File

@ -1,6 +1,6 @@
<?php
/* For licensing terms, see /license.txt */
/**
* This script is the Tickets plugin main entry point
* @package chamilo.plugin.ticket
@ -10,8 +10,8 @@
*/
$language_file = array('messages', 'userInfo', 'admin');
$cidReset = true;
$course_plugin = 'ticket'; //needed in order to load the plugin lang variables
//needed in order to load the plugin lang variables
$course_plugin = 'ticket';
require_once '../config.php';
$plugin = TicketPlugin::create();
@ -205,9 +205,9 @@ $isAdmin = api_is_platform_admin();
Display::display_header($plugin->get_lang('MyTickets'));
if ($isAdmin) {
$get_parameter = '&keyword=' . $_GET['keyword'] . '&keyword_status=' . $_GET['keyword_status'] . '&keyword_category=' . $_GET['keyword_category'] . '&keyword_request_user=' . $_GET['keyword_request_user'];
$get_parameter .= '&keyword_admin=' . $_GET['keyword_admin'] . '&keyword_start_date=' . $_GET['keyword_start_date'] . '&keyword_unread=' . $_GET['keyword_unread'];
$get_parameter2 = '&Tickets_per_page=' . $_GET['Tickets_per_page'] . '&Tickets_column=' . $_GET['Tickets_column'];
$get_parameter = '&keyword=' . Security::remove_XSS($_GET['keyword']) . '&keyword_status=' . Security::remove_XSS($_GET['keyword_status']) . '&keyword_category=' .Security::remove_XSS($_GET['keyword_category']). '&keyword_request_user=' . Security::remove_XSS($_GET['keyword_request_user']);
$get_parameter .= '&keyword_admin=' . Security::remove_XSS($_GET['keyword_admin']) . '&keyword_start_date=' . Security::remove_XSS($_GET['keyword_start_date']) . '&keyword_unread=' . Security::remove_XSS($_GET['keyword_unread']);
$get_parameter2 = '&Tickets_per_page=' . Security::remove_XSS($_GET['Tickets_per_page']) . '&Tickets_column=' . Security::remove_XSS($_GET['Tickets_column']);
if (isset($_GET['submit_advanced'])) {
$get_parameter .= "&submit_advanced=";
}

25
plugin/ticket/src/new_ticket.php
Unescape View File

@ -193,8 +193,6 @@ function show_form_send_ticket()
$select_types .= '</div></div>';
echo $select_types;
// Course
$courses_list = CourseManager::get_courses_list_by_user_id($user_id, false, true);
$select_course = '<div id="user_request" >
</div>';
echo $select_course;
@ -341,7 +339,7 @@ function save_ticket()
$category_id = $_POST['category_id'];
$content = $_POST['content'];
if ($_POST['phone'] != "") {
$content .= '<p style="color:red">&nbsp;' . get_lang('Phone') . ': ' . $_POST['phone'] . '</p>';
$content .= '<p style="color:red">&nbsp;' . get_lang('Phone') . ': ' . Security::remove_XSS($_POST['phone']). '</p>';
}
$course_id = $_POST['course_id'];
$project_id = $_POST['project_id'];
@ -356,11 +354,22 @@ function save_ticket()
$file_attachments = $_FILES;
$responsible = (api_is_platform_admin() ? api_get_user_id() : 0);
if (TicketManager::insert_new_ticket(
$category_id, $course_id, $project_id,
$other_area, $email, $subject, $content,
$personal_email, $file_attachments,
$source, $priority, $status, $user_id,
$responsible)) {
$category_id,
$course_id,
$project_id,
$other_area,
$email,
$subject,
$content,
$personal_email,
$file_attachments,
$source,
$priority,
$status,
$user_id,
$responsible
)
) {
header('location:' . api_get_path(WEB_PLUGIN_PATH) . PLUGIN_NAME . '/src/myticket.php?message=success');
exit;
} else {

16
plugin/ticket/src/send_ticket.php
Unescape View File

@ -252,7 +252,7 @@ function save_ticket()
$category_id = $_POST['category_id'];
$content = $_POST['content'];
if ($_POST['phone'] != "")
$content.= '<p style="color:red">&nbsp;' . get_lang('Phone') . ': ' . $_POST['phone'] . '</p>';
$content.= '<p style="color:red">&nbsp;' . get_lang('Phone') . ': ' . Security::remove_XSS($_POST['phone']). '</p>';
$course_id = $_POST['course_id'];
$project_id = $_POST['project_id'];
$subject = $_POST['subject'];
@ -260,7 +260,19 @@ function save_ticket()
$email = $_POST['email'];
$personal_email = $_POST['personal_email'];
$file_attachments = $_FILES;
if (TicketManager::insert_new_ticket($category_id, $course_id, $project_id, $other_area, $email, $subject, $content, $personal_email, $file_attachments)) {
if (TicketManager::insert_new_ticket(
$category_id,
$course_id,
$project_id,
$other_area,
$email,
$subject,
$content,
$personal_email,
$file_attachments
)
) {
header('location:' . api_get_path(WEB_PLUGIN_PATH) . PLUGIN_NAME . '/src/myticket.php?message=success');
exit;
} else {

Write Preview
Loading…
Cancel
Save