diff --git a/main/auth/inscription.php b/main/auth/inscription.php index f73f6033cf..b89691c863 100755 --- a/main/auth/inscription.php +++ b/main/auth/inscription.php @@ -335,7 +335,8 @@ $form->addElement('button', 'submit', get_lang('RegisterUser'), array('class' => if ($form->validate()) { - $values = $form->exportValues(); + //$values = $form->exportValues(); + $values = $form->getSubmitValues(1); $values['username'] = api_substr($values['username'], 0, USERNAME_MAX_LENGTH); //make *sure* the login isn't too long if (api_get_setting('allow_registration_as_teacher') == 'false') { @@ -363,6 +364,10 @@ if ($form->validate()) { foreach ($values as $key => $value) { if (substr($key, 0, 6) == 'extra_') { //an extra field $extras[substr($key,6)] = $value; + } elseif (strpos($key, 'remove_extra_') !== false) { + $extra_value = Security::filter_filename(urldecode(key($value))); + // To remove from user_field_value and folder + UserManager::update_extra_field_value($user_id, substr($key,13), $extra_value); } } @@ -370,7 +375,23 @@ if ($form->validate()) { $count_extra_field = count($extras); if ($count_extra_field > 0) { foreach ($extras as $key => $value) { - UserManager::update_extra_field_value($user_id, $key, $value); + // For array $value -> if exists key 'tmp_name' then must not be empty + // This avoid delete from user field value table when doesn't upload a file + if (is_array($value)) { + if (array_key_exists('tmp_name', $value) && empty($value['tmp_name'])) { + //Nothing to do + } else { + if (array_key_exists('tmp_name', $value)) { + $value['tmp_name'] = Security::filter_filename($value['tmp_name']); + } + if (array_key_exists('name', $value)) { + $value['name'] = Security::filter_filename($value['name']); + } + UserManager::update_extra_field_value($user_id, $key, $value); + } + } else { + UserManager::update_extra_field_value($user_id, $key, $value); + } } } @@ -596,3 +617,4 @@ if ($form->validate()) { } } Display :: display_footer(); + diff --git a/main/auth/profile.php b/main/auth/profile.php index 7b3bbe195c..52f1fccb93 100755 --- a/main/auth/profile.php +++ b/main/auth/profile.php @@ -143,6 +143,7 @@ if (api_get_setting('profile', 'name') !== 'true') { } $form->applyFilter(array('lastname', 'firstname'), 'stripslashes'); $form->applyFilter(array('lastname', 'firstname'), 'trim'); +$form->applyFilter(array('lastname', 'firstname'), 'html_filter'); $form->addRule('lastname' , get_lang('ThisFieldIsRequired'), 'required'); $form->addRule('firstname', get_lang('ThisFieldIsRequired'), 'required'); @@ -165,6 +166,7 @@ if (CONFVAL_ASK_FOR_OFFICIAL_CODE) { } $form->applyFilter('official_code', 'stripslashes'); $form->applyFilter('official_code', 'trim'); + $form->applyFilter('official_code', 'html_filter'); if (api_get_setting('registration', 'officialcode') == 'true' && api_get_setting('profile', 'officialcode') == 'true') { $form->addRule('official_code', get_lang('ThisFieldIsRequired'), 'required'); } @@ -202,6 +204,7 @@ if (api_get_setting('profile', 'phone') !== 'true') { } $form->applyFilter('phone', 'stripslashes'); $form->applyFilter('phone', 'trim'); +$form->applyFilter('phone', 'html_filter'); /*if (api_get_setting('registration', 'phone') == 'true') { $form->addRule('phone', get_lang('ThisFieldIsRequired'), 'required'); } diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php index 0dc279a820..454aa55626 100755 --- a/main/forum/forumfunction.inc.php +++ b/main/forum/forumfunction.inc.php @@ -3691,7 +3691,7 @@ function display_forum_search_results($search_term) 4. post is visible */ if (!api_is_allowed_to_edit(null, true)) { - if ($forum_categories_list[$row['forum_id']['forum_category']]['visibility'] == '1' AND + if ($forum_categories_list[$forum_list[$row['forum_id']]['forum_category']]['visibility'] == '1' AND $forum_list[$row['forum_id']]['visibility'] == '1' AND $row['visible'] == '1' ) { $display_result = true; diff --git a/main/inc/lib/banner.lib.php b/main/inc/lib/banner.lib.php index 69f30fc767..460f031c9e 100755 --- a/main/inc/lib/banner.lib.php +++ b/main/inc/lib/banner.lib.php @@ -484,6 +484,7 @@ function return_breadcrumb($interbreadcrumb, $language_file, $nameTools) if (!empty($_course) && !isset($_GET['hide_course_breadcrumb'])) { $navigation_item['url'] = $web_course_path . $_course['path'].'/index.php'.(!empty($session_id) ? '?id_session='.$session_id : ''); + $_course['name'] = api_htmlentities($_course['name']); $course_title = cut($_course['name'], MAX_LENGTH_BREADCRUMB); switch (api_get_setting('breadcrumbs_course_homepage')) { diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php index 16bf8db552..cf12a303d4 100755 --- a/main/inc/lib/course.lib.php +++ b/main/inc/lib/course.lib.php @@ -3372,7 +3372,7 @@ class CourseManager $course['status'] = STUDENT; } - $params['icon'] = Display::return_icon('blackboard.png', $course_info['title'], array(), ICON_SIZE_LARGE); + $params['icon'] = Display::return_icon('blackboard.png', api_htmlentities($course_info['title']), array(), ICON_SIZE_LARGE); $params['right_actions'] = ''; if (api_is_platform_admin()) { @@ -3448,7 +3448,7 @@ class CourseManager while ($row = Database::fetch_array($result)) { // We simply display the title of the category. $params = array( - 'icon' => Display::return_icon('folder_yellow.png', $row['title'], array(), ICON_SIZE_LARGE), + 'icon' => Display::return_icon('folder_yellow.png', api_htmlentities($row['title']), array(), ICON_SIZE_LARGE), 'title' => $row['title'], 'class' => 'table_user_course_category' ); @@ -3542,7 +3542,7 @@ class CourseManager $show_notification = Display::show_notification($course_info); // New code displaying the user's status in respect to this course. - $status_icon = Display::return_icon('blackboard.png', $course_info['title'], array(), ICON_SIZE_LARGE); + $status_icon = Display::return_icon('blackboard.png', api_htmlentities($course_info['title']), array(), ICON_SIZE_LARGE); $params = array(); $params['right_actions'] = ''; @@ -3741,7 +3741,7 @@ class CourseManager } $params = array(); - $params['icon'] = Display::return_icon('blackboard_blue.png', $course_info['name'], array(), ICON_SIZE_LARGE); + $params['icon'] = Display::return_icon('blackboard_blue.png', api_htmlentities($course_info['name']), array(), ICON_SIZE_LARGE); $params['link'] = $session_url; $params['title'] = $session_title; diff --git a/main/inc/lib/course_home.lib.php b/main/inc/lib/course_home.lib.php index 68fa71a0d1..a723d30944 100755 --- a/main/inc/lib/course_home.lib.php +++ b/main/inc/lib/course_home.lib.php @@ -694,7 +694,7 @@ class CourseHome } } } else { - $item['visibility'] .= ' '; + $item['visibility'] .= ''; } // NOTE : Table contains only the image file name, not full path diff --git a/main/inc/lib/usermanager.lib.php b/main/inc/lib/usermanager.lib.php index 000aae1251..e09b6c618a 100755 --- a/main/inc/lib/usermanager.lib.php +++ b/main/inc/lib/usermanager.lib.php @@ -4323,6 +4323,7 @@ class UserManager $form->addElement('text', 'extra_'.$field_details[1], $field_details[3], array('size' => 40)); $form->applyFilter('extra_'.$field_details[1], 'stripslashes'); $form->applyFilter('extra_'.$field_details[1], 'trim'); + $form->applyFilter('extra_'.$field_details[1], 'html_filter'); if (!$admin_permissions) { if ($field_details[7] == 0) diff --git a/main/newscorm/lp_list.php b/main/newscorm/lp_list.php index 367394ac09..6c4db98d22 100755 --- a/main/newscorm/lp_list.php +++ b/main/newscorm/lp_list.php @@ -110,11 +110,11 @@ if (!empty($flat_list)) { echo ''; if ($is_allowed_to_edit) { - echo ''.get_lang('Title').''; + echo ''.get_lang('Title').''; echo ''.get_lang('PublicationDate').''; echo ''.get_lang('ExpirationDate').''; echo ''.get_lang('Progress').""; - echo ''.get_lang('AuthoringOptions').""; + echo ''.get_lang('AuthoringOptions').""; } else { echo ''.get_lang('Title').''; echo ''.get_lang('Progress').""; diff --git a/main/template/default/auth/courses_categories.php b/main/template/default/auth/courses_categories.php index 245d8159b0..d360311946 100755 --- a/main/template/default/auth/courses_categories.php +++ b/main/template/default/auth/courses_categories.php @@ -251,10 +251,10 @@ function display_thumbnail($course, $icon_title) echo '
'; if (api_get_setting('show_courses_descriptions_in_catalog') == 'true') { echo ''; - echo ''.$title.''; + echo ''.api_htmlentities($title).''; echo ''; } else { - echo ''.$title.''; + echo ''.api_htmlentities($title).''; } echo '
'; // thumbail echo ''; // span2