Display: Fix error when updating tool icon on the course homepage (introduced in 1.11.20 through security updates) - refs #4809

2 years ago · 14798e4314
parent 5018a27e21
commit 14798e4314
5 changed files with 106 additions and 2 deletions
--- a/main/course_info/tools.php
+++ b/main/course_info/tools.php
@ -55,7 +55,7 @@ switch ($action) {
        $form->addHeader(get_lang('EditIcon'));
        $form->addHtml('<div class="col-md-7">');
        $form->addText('name', get_lang('Name'));
-        $form->addText('link', get_lang('Links'));
+        $form->addInternalUrl('link', get_lang('Links'));
        $allowedPictureTypes = ['jpg', 'jpeg', 'png'];
        $form->addFile('icon', get_lang('CustomIcon'));
        $form->addRule(
--- a/main/inc/lib/formvalidator/Element/InternalUrl.php
+++ b/main/inc/lib/formvalidator/Element/InternalUrl.php
@ -0,0 +1,31 @@
+<?php
+/* For licensing terms, see /license.txt */
+
+/**
+ * InternalUrl element (URL without the domain as prefix).
+ *
+ * Class InternalUrl
+ */
+class InternalUrl extends HTML_QuickForm_text
+{
+    /**
+     * InternalUrl constructor.
+     *
+     * @param string $elementName
+     * @param string $elementLabel
+     * @param array  $attributes
+     */
+    public function __construct($elementName = null, $elementLabel = null, $attributes = null)
+    {
+        if (!isset($attributes['id'])) {
+            $attributes['id'] = $elementName;
+        }
+
+        $attributes['type'] = 'text';
+        $attributes['class'] = 'form-control';
+
+        parent::__construct($elementName, $elementLabel, $attributes);
+
+        $this->setType('text');
+    }
+}
--- a/main/inc/lib/formvalidator/FormValidator.class.php
+++ b/main/inc/lib/formvalidator/FormValidator.class.php
@ -224,6 +224,36 @@ EOT;
        return $element;
    }

+    /**
+     * Adds a text field to the form to be used as internal url (URL without the domain part).
+     * A trim-filter is attached to the field.
+     *
+     * @param string|array $label      The label for the form-element
+     * @param string       $name       The element name
+     * @param bool         $required   (optional)    Is the form-element required (default=true)
+     * @param array        $attributes (optional)    List of attributes for the form-element
+     *
+     * @return HTML_QuickForm_text
+     */
+    public function addInternalUrl($name, $label, $required = true, $attributes = [], $createElement = false)
+    {
+        if ($createElement) {
+            $element = $this->createElement('text', $name, $label, $attributes);
+        } else {
+            $element = $this->addElement('text', $name, $label, $attributes);
+        }
+
+        $this->applyFilter($name, 'trim');
+        $this->applyFilter($name, 'plain_url_filter');
+        $this->addRule($name, get_lang('InsertAValidUrl'), 'internal_url');
+
+        if ($required) {
+            $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
+        }
+
+        return $element;
+    }
+
    /**
     * Add hidden course params.
     */
@ -1268,6 +1298,7 @@ EOT;
    {
        $this->addElement('url', $name, $label, $attributes);
        $this->applyFilter($name, 'trim');
+
        $this->addRule($name, get_lang('InsertAValidUrl'), 'url');

        if ($required) {
@ -2048,3 +2079,20 @@ function mobile_phone_number_filter($mobilePhoneNumber)

    return ltrim($mobilePhoneNumber, '0');
 }
+
+/**
+ * Cleans JS from a URL.
+ *
+ * @param string $html URL to clean
+ * @param int    $mode (optional)
+ *
+ * @return string The cleaned URL
+ */
+function plain_url_filter($html, $mode = NO_HTML)
+{
+    $allowed_tags = HTML_QuickForm_Rule_HTML::get_allowed_tags($mode);
+    $html = kses_no_null($html);
+    $html = kses_js_entities($html);
+    $allowed_html_fixed = kses_array_lc($allowed_tags);
+    return kses_split($html, $allowed_html_fixed, array('http', 'https'));
+}
--- a/main/inc/lib/formvalidator/Rule/InternalUrl.php
+++ b/main/inc/lib/formvalidator/Rule/InternalUrl.php
@ -0,0 +1,24 @@
+<?php
+
+/**
+ * Abstract base class for QuickForm validation rules.
+ */
+
+/**
+ * Validate internal urls (URLs without the domain).
+ */
+class HTML_QuickForm_Rule_InternalUrl extends HTML_QuickForm_Rule
+{
+    /**
+     * Validates internal url.
+     * We cheat a little by using the adding the domain as prefix to use the domain validation process of filter_var().
+     *
+     * @param string $url
+     *
+     * @return bool returns true if valid, false otherwise
+     */
+    public function validate($url, $options)
+    {
+        return (bool) filter_var(api_get_path(WEB_PATH).$url, FILTER_VALIDATE_URL);
+    }
+}
--- a/main/inc/lib/pear/HTML/QuickForm/RuleRegistry.php
+++ b/main/inc/lib/pear/HTML/QuickForm/RuleRegistry.php
@ -152,7 +152,8 @@ class HTML_QuickForm_RuleRegistry
            'mimetype' => 'HTML_QuickForm_Rule_MimeType',
            'filename' => 'HTML_QuickForm_Rule_FileName',
            'validquestiontype' => 'HTML_QuickForm_Rule_QuestionType',
-            'mintext' => 'Html_Quickform_Rule_MinText'
+            'mintext' => 'Html_Quickform_Rule_MinText',
+            'internal_url' => 'HTML_QuickForm_Rule_InternalUrl',
        );

        $class = $rules[$ruleName];