chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20714] logic changes - added remove_xss - (partial FS#3909)

Browse Source
skala
Isaac Flores 17 years ago
parent 13ddc23172
commit 0f0d9cc21f
11 changed files with 57 additions and 65 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      main/inc/lib/social.lib.php
  2. 15
      main/social/contacts.inc.php
  3. 24
      main/social/data_personal.inc.php
  4. 15
      main/social/group_contact.inc.php
  5. 8
      main/social/index.php
  6. 14
      main/social/profile.php
  7. 14
      main/social/qualify_contact.inc.php
  8. 7
      main/social/register_friend.php
  9. 5
      main/social/select_friend_response.php
  10. 4
      main/social/select_options.php
  11. 14
      main/social/show_search_image.inc.php

2
main/inc/lib/social.lib.php
Unescape View File

@ -281,7 +281,7 @@ class UserFriend extends UserManager {
public function qualify_friend($id_friend_qualify,$type_qualify) {
$tbl_user_friend=Database::get_main_table(TABLE_MAIN_USER_FRIEND);
$user_id=api_get_user_id();
$sql='UPDATE '.$tbl_user_friend.' SET relation_type='.$type_qualify.' WHERE user_id='.Database::escape_string($user_id).' AND friend_user_id='.Database::escape_string($id_friend_qualify).';';
$sql='UPDATE '.$tbl_user_friend.' SET relation_type='.Database::escape_string($type_qualify).' WHERE user_id='.Database::escape_string($user_id).' AND friend_user_id='.Database::escape_string($id_friend_qualify).';';
api_sql_query($sql,__FILE__,__LINE__);
}
/**

15
main/social/contacts.inc.php
Unescape View File

@ -1,11 +1,11 @@
<?php
$language_file = array('registration','messages','userInfo','admin');
require ('../inc/global.inc.php');
require_once (api_get_path(CONFIGURATION_PATH).'profile.conf.php');
include_once (api_get_path(LIBRARY_PATH).'fileManage.lib.php');
include_once (api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
include_once (api_get_path(LIBRARY_PATH).'image.lib.php');
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require '../inc/global.inc.php';
require_once api_get_path(CONFIGURATION_PATH).'profile.conf.php';
require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php';
require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH).'image.lib.php';
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once '../inc/lib/social.lib.php';
$this_section = SECTION_MYPROFILE;
$_SESSION['this_section']=$this_section;
@ -58,11 +58,10 @@ $image_path = UserManager::get_user_picture_path_by_id ($user_id,'web',false,tru
echo '<div id="div_content_table">';
require_once 'show_search_image.inc.php';
echo '</div>';
?>
</td>
</tr>
</table></td>
</tr>
</table>
</div>
</div>

24
main/social/data_personal.inc.php
Unescape View File

@ -22,9 +22,9 @@
*/
$language_file = array('registration','messages','userInfo','admin','forum','blog');
require_once ('../inc/global.inc.php');
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require_once (api_get_path(LIBRARY_PATH).'social.lib.php');
require_once '../inc/global.inc.php';
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once api_get_path(LIBRARY_PATH).'social.lib.php';
// @todo here we must show the user information as read only
//User picture size is calculated from SYSTEM path
@ -33,8 +33,8 @@ $img_array= UserManager::get_user_picture_path_by_id(api_get_user_id(),'web',tru
if (isset($_POST['load_ajax'])) {
require_once (api_get_path(LIBRARY_PATH).'blog.lib.php');
require_once (api_get_path(SYS_CODE_PATH).'forum/forumfunction.inc.php');
require_once api_get_path(LIBRARY_PATH).'blog.lib.php';
require_once api_get_path(SYS_CODE_PATH).'forum/forumfunction.inc.php';
$user_id = $_SESSION['social_user_id'];
if ($_POST['action']) {$action = $_POST['action'];}
switch($action) {
@ -58,7 +58,7 @@ if (isset($_POST['load_ajax'])) {
if ($forum_result !='') {
api_display_tool_title(get_lang('Forum'));
echo '<div class="social-background-content" style="background:#FAF9F6; padding:0px;" >';
echo $forum_result;
echo api_xml_http_response_encode($forum_result);
echo '</div>';
echo '<br />';
$all_result_data++;
@ -70,7 +70,7 @@ if (isset($_POST['load_ajax'])) {
echo '<div class="clear"></div><br />';
api_display_tool_title(get_lang('BlogPosts'));
echo '<div class="social-background-content" style="background:#FAF9F6; padding:0px;">';
echo $result;
echo api_xml_http_response_encode($result);
echo '</div>';
echo '<br />';
$all_result_data++;
@ -81,7 +81,7 @@ if (isset($_POST['load_ajax'])) {
if (!empty($result)) {
api_display_tool_title(get_lang('BlogComments'));
echo '<div class="social-background-content" style="background:#FAF9F6; padding:0px;">';
echo $result;
echo api_xml_http_response_encode($result);
echo '</div>';
echo '<br />';
$all_result_data++;
@ -157,9 +157,7 @@ $language_variable=api_xml_http_response_encode(get_lang('PersonalData'));
echo '<br/>';
}
echo '</div>';
}*/
echo '</div>';
}*/
echo '</div>';
}
?>
?>

15
main/social/group_contact.inc.php
Unescape View File

@ -1,11 +1,11 @@
<?php
$language_file = array('registration','messages','userInfo','admin');
require ('../inc/global.inc.php');
require_once (api_get_path(CONFIGURATION_PATH).'profile.conf.php');
include_once (api_get_path(LIBRARY_PATH).'fileManage.lib.php');
include_once (api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
include_once (api_get_path(LIBRARY_PATH).'image.lib.php');
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require '../inc/global.inc.php';
require_once api_get_path(CONFIGURATION_PATH).'profile.conf.php';
require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php';
require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH).'image.lib.php';
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once '../inc/lib/social.lib.php';
$this_section = SECTION_MYPROFILE;
$_SESSION['this_section']=$this_section;
@ -21,7 +21,6 @@ for ($p=0;$p<count($list_groups);$p++) {
$list_path_friends=UserFriend::get_list_path_web_by_user_id ($user_id,$list_groups[$p]['id']);
?>
<table width="100%" border="0" cellpadding="0" cellspacing="0" class="data_table">
<tr>
<th align="left" id="<?php echo 'td_'.$list_groups[$p]['id']; ?>" style="cursor:pointer" valign="top" onclick="toogle_function(this)">
<?php echo api_xml_http_response_encode(get_lang($list_groups[$p]['title'])); ?>
@ -86,4 +85,4 @@ for ($p=0;$p<count($list_groups);$p++) {
</table>
<?php
}
?>
?>

8
main/social/index.php
Unescape View File

@ -23,7 +23,7 @@
$cidReset = true;
$language_file = array('registration','messages','userInfo','admin');
require '../inc/global.inc.php';
require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
$this_section = SECTION_MYPROFILE;
$_SESSION['this_section']=$this_section;
api_block_anonymous_users();
@ -493,7 +493,6 @@ if (isset($_GET['sendform'])) {
}
$form_url_send=isset($form_send_data_message) ? $form_send_data_message :'';
?>
<div id="container-9">
<ul>
<li><a href="data_personal.inc.php"><span><?php Display :: display_icon('profile.png',get_lang('PersonalData')); echo '&nbsp;&nbsp;'.get_lang('PersonalData'); ?></span></a></li>
@ -510,11 +509,10 @@ $form_url_send=isset($form_send_data_message) ? $form_send_data_message :'';
<li><a href="group_contact.inc.php"><span><?php Display :: display_icon('group_contact.png',get_lang('ContactsGroups')); echo '&nbsp;&nbsp;'.get_lang('ContactsGroups'); ?></span></a></li>
<?php
}
?>
?>
</ul>
<?php echo '<div id="show">&nbsp;</div>';?>
</div>
<?php
Display :: display_footer();
?>
?>

14
main/social/profile.php
Unescape View File

@ -12,8 +12,8 @@
$language_file = array('registration','messages','userInfo','admin','forum','blog');
$cidReset = true;
require '../inc/global.inc.php';
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require_once (api_get_path(LIBRARY_PATH).'social.lib.php');
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once api_get_path(LIBRARY_PATH).'social.lib.php';
$user_id = api_get_user_id();
$show_full_profile = true;
@ -49,10 +49,10 @@ if (isset($_GET['u'])) {
$user_info = UserManager::get_user_info_by_id($user_id);
}
require_once (api_get_path(SYS_CODE_PATH).'calendar/myagenda.inc.php');
require_once (api_get_path(SYS_CODE_PATH).'announcements/announcements.inc.php');
require_once (api_get_path(LIBRARY_PATH).'course.lib.php');
require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php');
require_once api_get_path(SYS_CODE_PATH).'calendar/myagenda.inc.php';
require_once api_get_path(SYS_CODE_PATH).'announcements/announcements.inc.php';
require_once api_get_path(LIBRARY_PATH).'course.lib.php';
require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
api_block_anonymous_users();
@ -823,4 +823,4 @@ echo '</div>';
echo '</div>'; //from the main
echo '<form id="id_reload" action="#"></form>';
Display :: display_footer();
?>
?>

14
main/social/qualify_contact.inc.php
Unescape View File

@ -5,7 +5,7 @@
Copyright (c) 2009 Dokeos SPRL
Copyright (c) Julio Montoya Armas
Copyright (c) Isaac Flores Paz
For a full list of contributors, see "credits.txt".
The full license can be read in "license.txt".
@ -23,9 +23,9 @@
$language_file=array('registration','messages','userInfo','admin');
require_once '../inc/global.inc.php';
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once '../inc/lib/social.lib.php';
$user_friend=$_POST['user_friend'];
$user_friend=(int)$_POST['user_friend'];
$list_of_options=array();
$img_user=array();
$img_info_user=array();
@ -36,6 +36,7 @@ $number_list=count($list_of_options);
$user_id =urldecode($_GET['id_user']);
$user_id =str_replace("\\","",$user_id);
$user_friend=str_replace('"',"",$user_id);
$user_friend=Security::remove_XSS($user_friend);
$user_info=api_get_user_info($user_friend);
$user_friend_relation=UserFriend::get_relation_between_contacts(api_get_user_id(),$user_friend);
?>
@ -47,7 +48,7 @@ $user_friend_relation=UserFriend::get_relation_between_contacts(api_get_user_id(
<tr>
<td width="600" align="left">
<td width="50%"><br/>
<img src="<?php echo $img_user[1]; ?>" />
<img src="<?php echo Security::remove_XSS($img_user[1]); ?>" />
<?php
echo '<br /><br />'.$name_user=api_xml_http_response_encode($user_info['firstName'].' '.$user_info['lastName']);
?>
@ -61,8 +62,7 @@ for ($k=0;$k<$number_list;$k++) {
} else {
$check='';
}
?>
?>
<input <?php echo $check; ?> style="margin-left:50px" type="radio" class="radio" name="list_type_friend" value="<?php echo api_xml_http_response_encode($list_of_options[$k]['id']); ?>" />
<?php
echo api_xml_http_response_encode(get_lang($list_of_options[$k]['title']));
@ -80,4 +80,4 @@ echo '<br/>';
</td>
</tr>
</table>
</table>

7
main/social/register_friend.php
Unescape View File

@ -14,15 +14,14 @@ $my_current_friend = intval($_POST['friend_id']);
$my_denied_current_friend= intval($_POST['denied_friend_id']);
$my_delete_friend = intval($_POST['delete_friend_id']);
$friend_id_qualify = intval($_POST['user_id_friend_q']);
$type_friend_qualify = $_POST['type_friend_q']; //filtered?
$is_my_friend = $_POST['is_my_friend']; //filtered?
$type_friend_qualify = Security::remove_XSS($_POST['type_friend_q']); //filtered?
$is_my_friend = Security::remove_XSS($_POST['is_my_friend']); //filtered?
if (isset($is_my_friend)) {
$relation_type='3';//my friend
} else {
$relation_type='1';//Contact unknown
}
if (isset($my_current_friend)) {
UserFriend::register_friend ($the_current_user_id,$my_current_friend,$relation_type);
UserFriend::register_friend ($my_current_friend,$the_current_user_id,$relation_type);
@ -45,4 +44,4 @@ if(isset($friend_id_qualify) && isset($type_friend_qualify)) {
UserFriend::qualify_friend($friend_id_qualify,$type_friend_qualify);
echo api_xml_http_response_encode(get_lang('AttachContactsToGroupSuccesfuly'));
}
?>
?>

5
main/social/select_friend_response.php
Unescape View File

@ -1,8 +1,8 @@
<?php
$language_file = array('registration','messages','userInfo','admin');
require '../inc/global.inc.php';
include_once (api_get_path(LIBRARY_PATH).'image.lib.php');
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require_once api_get_path(LIBRARY_PATH).'image.lib.php';
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once api_get_path(LIBRARY_PATH).'social.lib.php';
$this_section = SECTION_MYPROFILE;
$_SESSION['this_section']=$this_section;
@ -22,7 +22,6 @@ $list_get_path_web=UserFriend::get_list_web_path_user_invitation_by_user_id($use
$number_loop=count($list_get_invitation);
if ($number_loop==0) {
Display::display_normal_message(api_xml_http_response_encode(get_lang('YouDontHaveInvites')));
}
for ($i=0;$i<$number_loop;$i++) {
?>

4
main/social/select_options.php
Unescape View File

@ -5,7 +5,7 @@ require '../inc/global.inc.php';
$track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE);
$tbl_my_user = Database :: get_main_table(TABLE_MAIN_USER);
$tbl_my_user_friend = Database :: get_main_table(TABLE_MAIN_USER_FRIEND);
$search=$_POST['search'];
$search=Security::remove_XSS($_POST['search']);
$date_inter=date('Y-m-d H:i:s',time()-120);
$html_form='<select id="id_search_name" name="id_search_name" size="8"" class="message-select-box">';
$user_id = api_get_user_id();
@ -24,4 +24,4 @@ while ($row=Database::fetch_array($res,'ASSOC')) {
}
$html_form.='</select>';
echo $html_form;
?>
?>

14
main/social/show_search_image.inc.php
Unescape View File

@ -24,15 +24,15 @@
$cidReset = true;
require '../inc/global.inc.php';
$language_file = array('registration','messages','userInfo','admin');
require_once (api_get_path(CONFIGURATION_PATH).'profile.conf.php');
include_once (api_get_path(LIBRARY_PATH).'fileManage.lib.php');
include_once (api_get_path(LIBRARY_PATH).'fileUpload.lib.php');
include_once (api_get_path(LIBRARY_PATH).'image.lib.php');
require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php');
require_once api_get_path(CONFIGURATION_PATH).'profile.conf.php';
require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php';
require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php';
require_once api_get_path(LIBRARY_PATH).'image.lib.php';
require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php';
require_once '../inc/lib/social.lib.php';
$list_path_friends=array();
$user_id=api_get_user_id();
$name_search=$_POST['search_name_q'];
$name_search=Security::remove_XSS($_POST['search_name_q']);
if (isset($name_search) && $name_search!='undefined') {
$list_path_friends=UserFriend::get_list_path_web_by_user_id($user_id,null,$name_search);
} else {
@ -81,4 +81,4 @@ if (count($list_path_friends)!=0) {
$friend_html.='<br/></table>';
}
echo $friend_html;
?>
?>
Write Preview
Loading…
Cancel
Save