chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Security fixes - Disable svg upload in my files + fix XSS

Browse Source
pull/3308/head
Julio Montoya 5 years ago
parent 9c24047384
commit 0bfe48eb32
2 changed files with 16 additions and 12 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 21
      main/template/default/social/user_block.tpl
  2. 5
      src/Chamilo/CoreBundle/Component/Editor/Driver/PersonalDriver.php

21
main/template/default/social/user_block.tpl
Unescape View File

@ -102,27 +102,30 @@
{% set linkedin_url = '' %} {% set linkedin_url = '' %}
{% for extra in user.extra %} {% for extra in user.extra %}
{% if extra.value.getField().getVariable() == 'skype' %} {% if extra.value.getField().getVariable() == 'skype' %}
{% set skype_account = extra.value.getValue() | remove_xss %} {% set skype_account %}
<a href="skype:{{ extra.value.getValue() }}?chat">
<span class="fa fa-skype fa-fw" aria-hidden="true"></span> {{ 'Skype'|get_lang }}
</a>
{% endset %}
{% endif %} {% endif %}
{% if extra.value.getField().getVariable() == 'linkedin_url' %} {% if extra.value.getField().getVariable() == 'linkedin_url' %}
{% set linkedin_url = extra.value.getValue() | remove_xss %} {% set linkedin_url %}
<a href="{{ extra.value.getValue() }}" target="_blank">
<span class="fa fa-linkedin fa-fw" aria-hidden="true"></span> {{ 'LinkedIn'|get_lang }}
</a>
{% endset %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% if 'allow_show_skype_account'|api_get_setting == 'true' and not skype_account is empty %} {% if 'allow_show_skype_account'|api_get_setting == 'true' and not skype_account is empty %}
<li class="item"> <li class="item">
<a href="skype:{{ skype_account }}?chat"> {{ skype_account | remove_xss}}
<span class="fa fa-skype fa-fw" aria-hidden="true"></span> {{ 'Skype'|get_lang }}
</a>
</li> </li>
{% endif %} {% endif %}
{% if 'allow_show_linkedin_url'|api_get_setting == 'true' and not linkedin_url is empty %} {% if 'allow_show_linkedin_url'|api_get_setting == 'true' and not linkedin_url is empty %}
<li class="item"> <li class="item">
<a href="{{ linkedin_url }}" target="_blank"> {{ linkedin_url | remove_xss}}
<span class="fa fa-linkedin fa-fw" aria-hidden="true"></span> {{ 'LinkedIn'|get_lang }}
</a>
</li> </li>
{% endif %} {% endif %}
{% endif %} {% endif %}

5
src/Chamilo/CoreBundle/Component/Editor/Driver/PersonalDriver.php
Unescape View File

@ -1,4 +1,5 @@
<?php <?php
/* For licensing terms, see /license.txt */ /* For licensing terms, see /license.txt */
namespace Chamilo\CoreBundle\Component\Editor\Driver; namespace Chamilo\CoreBundle\Component\Editor\Driver;
@ -7,8 +8,6 @@ namespace Chamilo\CoreBundle\Component\Editor\Driver;
* Class PersonalDriver. * Class PersonalDriver.
* *
* @todo add more checks in upload/rm * @todo add more checks in upload/rm
*
* @package Chamilo\CoreBundle\Component\Editor\Driver
*/ */
class PersonalDriver extends Driver implements DriverInterface class PersonalDriver extends Driver implements DriverInterface
{ {
@ -49,6 +48,8 @@ class PersonalDriver extends Driver implements DriverInterface
'text/html', 'text/html',
'text/javascript', 'text/javascript',
'text/ecmascript', 'text/ecmascript',
'image/svg+xml',
'image/svg',
]; ];
$driver = [ $driver = [

Write Preview
Loading…
Cancel
Save