From 0f0d9cc21fe15b2bd72e2bbf8fd389859a0e574f Mon Sep 17 00:00:00 2001 From: Isaac Flores Date: Sat, 16 May 2009 00:53:08 +0200 Subject: [PATCH] [svn r20714] logic changes - added remove_xss - (partial FS#3909) --- main/inc/lib/social.lib.php | 2 +- main/social/contacts.inc.php | 15 +++++++-------- main/social/data_personal.inc.php | 24 +++++++++++------------- main/social/group_contact.inc.php | 15 +++++++-------- main/social/index.php | 8 +++----- main/social/profile.php | 14 +++++++------- main/social/qualify_contact.inc.php | 14 +++++++------- main/social/register_friend.php | 7 +++---- main/social/select_friend_response.php | 5 ++--- main/social/select_options.php | 4 ++-- main/social/show_search_image.inc.php | 14 +++++++------- 11 files changed, 57 insertions(+), 65 deletions(-) diff --git a/main/inc/lib/social.lib.php b/main/inc/lib/social.lib.php index 1b54f47bde..668a2e503a 100755 --- a/main/inc/lib/social.lib.php +++ b/main/inc/lib/social.lib.php @@ -281,7 +281,7 @@ class UserFriend extends UserManager { public function qualify_friend($id_friend_qualify,$type_qualify) { $tbl_user_friend=Database::get_main_table(TABLE_MAIN_USER_FRIEND); $user_id=api_get_user_id(); - $sql='UPDATE '.$tbl_user_friend.' SET relation_type='.$type_qualify.' WHERE user_id='.Database::escape_string($user_id).' AND friend_user_id='.Database::escape_string($id_friend_qualify).';'; + $sql='UPDATE '.$tbl_user_friend.' SET relation_type='.Database::escape_string($type_qualify).' WHERE user_id='.Database::escape_string($user_id).' AND friend_user_id='.Database::escape_string($id_friend_qualify).';'; api_sql_query($sql,__FILE__,__LINE__); } /** diff --git a/main/social/contacts.inc.php b/main/social/contacts.inc.php index df21631d19..47a1ba60b9 100755 --- a/main/social/contacts.inc.php +++ b/main/social/contacts.inc.php @@ -1,11 +1,11 @@ '; require_once 'show_search_image.inc.php'; echo ''; - ?> - + \ No newline at end of file diff --git a/main/social/data_personal.inc.php b/main/social/data_personal.inc.php index d04c693e44..03ac77cc24 100755 --- a/main/social/data_personal.inc.php +++ b/main/social/data_personal.inc.php @@ -22,9 +22,9 @@ */ $language_file = array('registration','messages','userInfo','admin','forum','blog'); -require_once ('../inc/global.inc.php'); -require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php'); -require_once (api_get_path(LIBRARY_PATH).'social.lib.php'); +require_once '../inc/global.inc.php'; +require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php'; +require_once api_get_path(LIBRARY_PATH).'social.lib.php'; // @todo here we must show the user information as read only //User picture size is calculated from SYSTEM path @@ -33,8 +33,8 @@ $img_array= UserManager::get_user_picture_path_by_id(api_get_user_id(),'web',tru if (isset($_POST['load_ajax'])) { - require_once (api_get_path(LIBRARY_PATH).'blog.lib.php'); - require_once (api_get_path(SYS_CODE_PATH).'forum/forumfunction.inc.php'); + require_once api_get_path(LIBRARY_PATH).'blog.lib.php'; + require_once api_get_path(SYS_CODE_PATH).'forum/forumfunction.inc.php'; $user_id = $_SESSION['social_user_id']; if ($_POST['action']) {$action = $_POST['action'];} switch($action) { @@ -58,7 +58,7 @@ if (isset($_POST['load_ajax'])) { if ($forum_result !='') { api_display_tool_title(get_lang('Forum')); echo '
'; - echo $forum_result; + echo api_xml_http_response_encode($forum_result); echo '
'; echo '
'; $all_result_data++; @@ -70,7 +70,7 @@ if (isset($_POST['load_ajax'])) { echo '

'; api_display_tool_title(get_lang('BlogPosts')); echo '
'; - echo $result; + echo api_xml_http_response_encode($result); echo '
'; echo '
'; $all_result_data++; @@ -81,7 +81,7 @@ if (isset($_POST['load_ajax'])) { if (!empty($result)) { api_display_tool_title(get_lang('BlogComments')); echo '
'; - echo $result; + echo api_xml_http_response_encode($result); echo '
'; echo '
'; $all_result_data++; @@ -157,9 +157,7 @@ $language_variable=api_xml_http_response_encode(get_lang('PersonalData')); echo '
'; } echo ''; - }*/ - - echo ''; - + }*/ + echo ''; } -?> +?> \ No newline at end of file diff --git a/main/social/group_contact.inc.php b/main/social/group_contact.inc.php index ebe9bf9083..577783e2c6 100755 --- a/main/social/group_contact.inc.php +++ b/main/social/group_contact.inc.php @@ -1,11 +1,11 @@ - -
@@ -86,4 +85,4 @@ for ($p=0;$p +?> \ No newline at end of file diff --git a/main/social/index.php b/main/social/index.php index c63f50f42f..75f36e935d 100755 --- a/main/social/index.php +++ b/main/social/index.php @@ -23,7 +23,7 @@ $cidReset = true; $language_file = array('registration','messages','userInfo','admin'); require '../inc/global.inc.php'; -require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'); +require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'; $this_section = SECTION_MYPROFILE; $_SESSION['this_section']=$this_section; api_block_anonymous_users(); @@ -493,7 +493,6 @@ if (isset($_GET['sendform'])) { } $form_url_send=isset($form_send_data_message) ? $form_send_data_message :''; ?> -
    • @@ -510,11 +509,10 @@ $form_url_send=isset($form_send_data_message) ? $form_send_data_message :'';
    • - + ?>
 
';?> +?> \ No newline at end of file diff --git a/main/social/profile.php b/main/social/profile.php index 087cbba34c..d42482b06e 100644 --- a/main/social/profile.php +++ b/main/social/profile.php @@ -12,8 +12,8 @@ $language_file = array('registration','messages','userInfo','admin','forum','blog'); $cidReset = true; require '../inc/global.inc.php'; -require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php'); -require_once (api_get_path(LIBRARY_PATH).'social.lib.php'); +require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php'; +require_once api_get_path(LIBRARY_PATH).'social.lib.php'; $user_id = api_get_user_id(); $show_full_profile = true; @@ -49,10 +49,10 @@ if (isset($_GET['u'])) { $user_info = UserManager::get_user_info_by_id($user_id); } -require_once (api_get_path(SYS_CODE_PATH).'calendar/myagenda.inc.php'); -require_once (api_get_path(SYS_CODE_PATH).'announcements/announcements.inc.php'); -require_once (api_get_path(LIBRARY_PATH).'course.lib.php'); -require_once (api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'); +require_once api_get_path(SYS_CODE_PATH).'calendar/myagenda.inc.php'; +require_once api_get_path(SYS_CODE_PATH).'announcements/announcements.inc.php'; +require_once api_get_path(LIBRARY_PATH).'course.lib.php'; +require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php'; api_block_anonymous_users(); @@ -823,4 +823,4 @@ echo ''; echo ''; //from the main echo '
'; Display :: display_footer(); -?> +?> \ No newline at end of file diff --git a/main/social/qualify_contact.inc.php b/main/social/qualify_contact.inc.php index ceaf5286c6..c8ae608d5b 100755 --- a/main/social/qualify_contact.inc.php +++ b/main/social/qualify_contact.inc.php @@ -5,7 +5,7 @@ Copyright (c) 2009 Dokeos SPRL Copyright (c) Julio Montoya Armas - + Copyright (c) Isaac Flores Paz For a full list of contributors, see "credits.txt". The full license can be read in "license.txt". @@ -23,9 +23,9 @@ $language_file=array('registration','messages','userInfo','admin'); require_once '../inc/global.inc.php'; -require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php'); +require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php'; require_once '../inc/lib/social.lib.php'; -$user_friend=$_POST['user_friend']; +$user_friend=(int)$_POST['user_friend']; $list_of_options=array(); $img_user=array(); $img_info_user=array(); @@ -36,6 +36,7 @@ $number_list=count($list_of_options); $user_id =urldecode($_GET['id_user']); $user_id =str_replace("\\","",$user_id); $user_friend=str_replace('"',"",$user_id); +$user_friend=Security::remove_XSS($user_friend); $user_info=api_get_user_info($user_friend); $user_friend_relation=UserFriend::get_relation_between_contacts(api_get_user_id(),$user_friend); ?> @@ -47,7 +48,7 @@ $user_friend_relation=UserFriend::get_relation_between_contacts(api_get_user_id(

- +
'.$name_user=api_xml_http_response_encode($user_info['firstName'].' '.$user_info['lastName']); ?> @@ -61,8 +62,7 @@ for ($k=0;$k<$number_list;$k++) { } else { $check=''; } - ?> - + ?> style="margin-left:50px" type="radio" class="radio" name="list_type_friend" value="" /> ';
+ \ No newline at end of file diff --git a/main/social/register_friend.php b/main/social/register_friend.php index 951a9e297f..f48567ffcd 100755 --- a/main/social/register_friend.php +++ b/main/social/register_friend.php @@ -14,15 +14,14 @@ $my_current_friend = intval($_POST['friend_id']); $my_denied_current_friend= intval($_POST['denied_friend_id']); $my_delete_friend = intval($_POST['delete_friend_id']); $friend_id_qualify = intval($_POST['user_id_friend_q']); -$type_friend_qualify = $_POST['type_friend_q']; //filtered? -$is_my_friend = $_POST['is_my_friend']; //filtered? +$type_friend_qualify = Security::remove_XSS($_POST['type_friend_q']); //filtered? +$is_my_friend = Security::remove_XSS($_POST['is_my_friend']); //filtered? if (isset($is_my_friend)) { $relation_type='3';//my friend } else { $relation_type='1';//Contact unknown } - if (isset($my_current_friend)) { UserFriend::register_friend ($the_current_user_id,$my_current_friend,$relation_type); UserFriend::register_friend ($my_current_friend,$the_current_user_id,$relation_type); @@ -45,4 +44,4 @@ if(isset($friend_id_qualify) && isset($type_friend_qualify)) { UserFriend::qualify_friend($friend_id_qualify,$type_friend_qualify); echo api_xml_http_response_encode(get_lang('AttachContactsToGroupSuccesfuly')); } -?> +?> \ No newline at end of file diff --git a/main/social/select_friend_response.php b/main/social/select_friend_response.php index 83aad4f5e5..1af6db5402 100755 --- a/main/social/select_friend_response.php +++ b/main/social/select_friend_response.php @@ -1,8 +1,8 @@ diff --git a/main/social/select_options.php b/main/social/select_options.php index b6c94eecf0..e23232003a 100755 --- a/main/social/select_options.php +++ b/main/social/select_options.php @@ -5,7 +5,7 @@ require '../inc/global.inc.php'; $track_online_table = Database::get_statistic_table(TABLE_STATISTIC_TRACK_E_ONLINE); $tbl_my_user = Database :: get_main_table(TABLE_MAIN_USER); $tbl_my_user_friend = Database :: get_main_table(TABLE_MAIN_USER_FRIEND); -$search=$_POST['search']; +$search=Security::remove_XSS($_POST['search']); $date_inter=date('Y-m-d H:i:s',time()-120); $html_form=''; echo $html_form; -?> +?> \ No newline at end of file diff --git a/main/social/show_search_image.inc.php b/main/social/show_search_image.inc.php index 923857001b..2ac4f1ad62 100755 --- a/main/social/show_search_image.inc.php +++ b/main/social/show_search_image.inc.php @@ -24,15 +24,15 @@ $cidReset = true; require '../inc/global.inc.php'; $language_file = array('registration','messages','userInfo','admin'); -require_once (api_get_path(CONFIGURATION_PATH).'profile.conf.php'); -include_once (api_get_path(LIBRARY_PATH).'fileManage.lib.php'); -include_once (api_get_path(LIBRARY_PATH).'fileUpload.lib.php'); -include_once (api_get_path(LIBRARY_PATH).'image.lib.php'); -require_once (api_get_path(LIBRARY_PATH).'usermanager.lib.php'); +require_once api_get_path(CONFIGURATION_PATH).'profile.conf.php'; +require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php'; +require_once api_get_path(LIBRARY_PATH).'fileUpload.lib.php'; +require_once api_get_path(LIBRARY_PATH).'image.lib.php'; +require_once api_get_path(LIBRARY_PATH).'usermanager.lib.php'; require_once '../inc/lib/social.lib.php'; $list_path_friends=array(); $user_id=api_get_user_id(); -$name_search=$_POST['search_name_q']; +$name_search=Security::remove_XSS($_POST['search_name_q']); if (isset($name_search) && $name_search!='undefined') { $list_path_friends=UserFriend::get_list_path_web_by_user_id($user_id,null,$name_search); } else { @@ -81,4 +81,4 @@ if (count($list_path_friends)!=0) { $friend_html.='
'; } echo $friend_html; -?> +?> \ No newline at end of file