chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Adding security to the style preview

Browse Source
skala
Julio Montoya 15 years ago
parent a9ea5ed0bd
commit 0b2965a1c3
2 changed files with 27 additions and 37 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 24
      main/admin/settings.php
  2. 40
      main/admin/style_preview.php

24
main/admin/settings.php
Unescape View File

@ -622,23 +622,18 @@ function handle_stylesheets()
// Current style
$currentstyle = api_get_setting('stylesheets');
$is_style_changeable=false;
if ($_configuration['access_url']!=1)
{
if ($_configuration['access_url']!=1) {
$style_info = api_get_settings('stylesheets','',1,0);
$url_info = api_get_access_url($_configuration['access_url']);
if ($style_info[0]['access_url_changeable']==1 && $url_info['active']==1)
{
if ($style_info[0]['access_url_changeable']==1 && $url_info['active']==1) {
$is_style_changeable=true;
echo '<div class="actions" id="stylesheetuploadlink">';
Display::display_icon('theme_add.gif');
echo '<a href="" onclick="document.getElementById(\'newstylesheetform\').style.display = \'block\'; document.getElementById(\'stylesheetuploadlink\').style.display = \'none\';return false; ">'.get_lang('UploadNewStylesheet').'</a>';
echo '</div>';
}
}
else
{
} else {
$is_style_changeable=true;
echo '<div class="actions" id="stylesheetuploadlink">';
Display::display_icon('theme_add.gif');
@ -654,8 +649,7 @@ function handle_stylesheets()
$form->addRule('new_stylesheet', get_lang('InvalidExtension').' ('.implode(',', $allowed_file_types).')', 'filetype', $allowed_file_types);
$form->addRule('new_stylesheet', get_lang('ThisFieldIsRequired'), 'required');
$form->addElement('style_submit_button', 'stylesheet_upload', get_lang('Ok'), array('class'=>'save'));
if( $form->validate() AND is_writable(api_get_path(SYS_CODE_PATH).'css/'))
{
if( $form->validate() AND is_writable(api_get_path(SYS_CODE_PATH).'css/')) {
$values = $form->exportValues();
$picture_element = & $form->getElement('new_stylesheet');
$picture = $picture_element->getValue();
@ -668,9 +662,7 @@ function handle_stylesheets()
event_system(LOG_CONFIGURATION_SETTINGS_CHANGE, LOG_CONFIGURATION_SETTINGS_CATEGORY, $category, $time, $user_id);
Display::display_confirmation_message(get_lang('StylesheetAdded'));
}
else
{
} else {
if (!is_writable(api_get_path(SYS_CODE_PATH).'css/'))
{
Display::display_error_message(api_get_path(SYS_CODE_PATH).'css/'.get_lang('IsNotWritable'));
@ -705,8 +697,8 @@ function handle_stylesheets()
echo '<div><iframe src="style_preview.php" width="100%" height="300" name="preview"></iframe></div>';
echo '<form name="stylesheets" method="post" action="'.api_get_self().'?category='.Security::remove_XSS($_GET['category']).'">';
if ($handle = @opendir(api_get_path(SYS_PATH).'main/css/'))
{
if ($handle = @opendir(api_get_path(SYS_PATH).'main/css/')) {
$counter=1;
while (false !== ($style_dir = readdir($handle)))
{

40
main/admin/style_preview.php
Unescape View File

@ -1,32 +1,34 @@
<?php
include_once('../inc/global.inc.php');
if (isset($_GET['style']) AND $_GET['style']<>'')
{
$style=Security::remove_XSS($_GET['style']);
//$htmlHeadXtra[] = '<link href="../css/'.$_GET['style'].'/default.css" rel="stylesheet" type="text/css">';
echo '<link href="../css/'.$style.'/default.css" rel="stylesheet" type="text/css">';
}
else
{
/* For licensing terms, see /chamilo_license.txt */
require_once '../inc/global.inc.php';
if (isset($_GET['style']) AND $_GET['style']<>'') {
$style=Security::remove_XSS($_GET['style']);
$all_styles = api_get_themes();
if (in_array($style, $all_styles[0])) {
echo '<link href="../css/'.$style.'/default.css" rel="stylesheet" type="text/css">';
}
} else {
$currentstyle = api_get_setting('stylesheets');
echo '<link href="../css/'.$currentstyle.'/default.css" rel="stylesheet" type="text/css">';
}
//Display::display_header($tool_name);
include(api_get_path(INCLUDE_PATH).'banner.inc.php');
require_once api_get_path(INCLUDE_PATH).'banner.inc.php';
?>
<!-- start of #main wrapper for #content and #menu divs -->
<!-- Begin Of script Output -->
<div class="maincontent">
<h3>tool title</h3>
<h3>Tool title</h3>
<div id="courseintro">
<p>This is the introduction text.
</div>
<div id="courseintro_icons">
<a href="#"><?php Display::display_icon('edit.gif', get_lang('Edit')); ?></a><a href="#"><?php Display::display_icon('delete.gif', get_lang('Delete')); ?></a></div>
<div class="normal-message"> Normal Message </div>
<div class="confirmation-message"> Confirmation Message </div>
<div class="warning-message"> Warning Message </div>
<div class="error-message"> Error Message </div>
<table width="750">
<tr>
@ -119,18 +121,14 @@ include(api_get_path(INCLUDE_PATH).'banner.inc.php');
<tr>
<th style="width:100px"><a href="#">Firstname</a>&nbsp;&#8595; </th>
<th style="width:100px"><a href="#">Lastname</a></th>
</tr>
<tr class="row_even">
<td >Firstname</td>
<td >Lastname</td>
</tr>
</tr>
<tr class="row_odd">
<td >Julio</td>
<td >Montoya</td>
<td>Julio</td>
<td>Montoya</td>
</tr>
<tr class="row_even">
<td >Patrick</td>
<td >Cool</td>
<td>Yannick</td>
<td>Warnier</td>
</tr>
</table>
<table width="100%">

Write Preview
Loading…
Cancel
Save