From 23054bb5b2949f8364367f405b959011850679ae Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 28 May 2010 16:31:20 +0200
Subject: [PATCH] Deleting double using security::remove_XSS when saving a
 title forum

---
 main/forum/forumfunction.inc.php | 20 +++++++++++---------
 main/forum/index.php             | 28 +++++++++++++++-------------
 2 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php
index 1ea6eba45f..8514d5821c 100755
--- a/main/forum/forumfunction.inc.php
+++ b/main/forum/forumfunction.inc.php
@@ -522,7 +522,7 @@ function store_forum($values) {
 
 	$session_id = api_get_session_id();
 	$clean_title = Database::escape_string($values['forum_title']);
-
+		
 	// forum images
 	$image_moved=false;
 	if (!empty($_FILES['picture']['name'])) {
@@ -580,16 +580,16 @@ function store_forum($values) {
 		$sql="UPDATE ".$table_forums." SET
 				forum_title='".$clean_title."',
 				".$sql_image."
-				forum_comment='".Database::escape_string($values['forum_comment'])."',
-				forum_category='".Database::escape_string($values['forum_category'])."',
-				allow_anonymous='".Database::escape_string(isset($values['allow_anonymous_group']['allow_anonymous'])?$values['allow_anonymous_group']['allow_anonymous']:null)."',
-				allow_edit='".Database::escape_string($values['students_can_edit_group']['students_can_edit'])."',
+				forum_comment='".	Database::escape_string($values['forum_comment'])."',
+				forum_category='".	Database::escape_string($values['forum_category'])."',
+				allow_anonymous='".	Database::escape_string(isset($values['allow_anonymous_group']['allow_anonymous'])?$values['allow_anonymous_group']['allow_anonymous']:null)."',
+				allow_edit='".		Database::escape_string($values['students_can_edit_group']['students_can_edit'])."',
 				approval_direct_post='".Database::escape_string(isset($values['approval_direct_group']['approval_direct'])?$values['approval_direct_group']['approval_direct']:null)."',
 				allow_attachments='".Database::escape_string(isset($values['allow_attachments_group']['allow_attachments'])?$values['allow_attachments_group']['allow_attachments']:null)."',
 				allow_new_threads='".Database::escape_string($values['allow_new_threads_group']['allow_new_threads'])."',
 				forum_group_public_private='".Database::escape_string($values['public_private_group_forum_group']['public_private_group_forum'])."',
-				default_view='".Database::escape_string($values['default_view_type_group']['default_view_type'])."',
-				forum_of_group='".Database::escape_string($values['group_forum'])."'
+				default_view='".	Database::escape_string($values['default_view_type_group']['default_view_type'])."',
+				forum_of_group='".	Database::escape_string($values['group_forum'])."'
 			WHERE forum_id='".Database::escape_string($values['forum_id'])."'";
 			Database::query($sql);
 			api_item_property_update($_course, TOOL_FORUM, Database::escape_string($values['forum_id']), 'ForumUpdated', api_get_user_id());
@@ -604,9 +604,9 @@ function store_forum($values) {
 
 		$sql="INSERT INTO ".$table_forums."
 			(forum_title, forum_image, forum_comment, forum_category, allow_anonymous, allow_edit, approval_direct_post, allow_attachments, allow_new_threads, default_view, forum_of_group, forum_group_public_private, forum_order, session_id)
-			VALUES ('".Security::remove_XSS($clean_title)."',
+			VALUES ('".$clean_title."',
 				".$sql_image."
-				'".Database::escape_string(isset($values['forum_comment'])?Security::remove_XSS(stripslashes(api_html_entity_decode($values['forum_comment'])),COURSEMANAGERLOWSECURITY):null)."',
+				'".Database::escape_string(isset($values['forum_comment'])?$values['forum_comment']:null)."',
 				'".Database::escape_string(isset($values['forum_category'])?$values['forum_category']:null)."',
 				'".Database::escape_string(isset($values['allow_anonymous_group']['allow_anonymous'])?$values['allow_anonymous_group']['allow_anonymous']:null)."',
 				'".Database::escape_string(isset($values['students_can_edit_group']['students_can_edit'])?$values['students_can_edit_group']['students_can_edit']:null)."',
@@ -618,7 +618,9 @@ function store_forum($values) {
 				'".Database::escape_string(isset($values['public_private_group_forum_group']['public_private_group_forum'])?$values['public_private_group_forum_group']['public_private_group_forum']:null)."',
 				'".Database::escape_string(isset($new_max)?$new_max:null)."',
 				".intval($session_id).")";
+		
 		Database::query($sql);
+		
 		$last_id = Database::insert_id();
 		if ($last_id > 0) {
 			api_item_property_update($_course, TOOL_FORUM, $last_id, 'ForumAdded', api_get_user_id());
diff --git a/main/forum/index.php b/main/forum/index.php
index 252c24dc83..c2623fb094 100755
--- a/main/forum/index.php
+++ b/main/forum/index.php
@@ -269,7 +269,8 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
 					if (api_is_allowed_to_edit(false,true)) {
 						//echo 'teacher';
 						$show_forum=true;
-					} else {// you are not a teacher
+					} else {
+						// you are not a teacher
 						//echo 'student';
 						// it is not a group forum => show forum (invisible forums are already left out see get_forums function)
 						if ($forum['forum_of_group']=='0') {
@@ -300,12 +301,10 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
 						}
 					}
 
-
-					//echo '<hr>';
-						if ($show_forum) {
+					if ($show_forum) {
 						$form_count++;
 						$mywhatsnew_post_info=isset($whatsnew_post_info[$forum['forum_id']]) ? $whatsnew_post_info[$forum['forum_id']]: null;
-						echo "<tr class=\"forum\">";
+						echo '<tr class="forum">';
 
 						// Showing the image
 						if(!empty($forum['forum_image'])) {
@@ -332,13 +331,11 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
 								echo icon('../img/forumgroup.gif', get_lang('GroupForum'));
 							}
 						} else {
-
-								if (is_array($mywhatsnew_post_info) and !empty($mywhatsnew_post_info)) {
-									echo icon('../img/forum.gif', get_lang('Forum'));
-								} else {
-									echo icon('../img/forum.gif');
-								}
-
+							if (is_array($mywhatsnew_post_info) and !empty($mywhatsnew_post_info)) {
+								echo icon('../img/forum.gif', get_lang('Forum'));
+							} else {
+								echo icon('../img/forum.gif');
+							}
 						}
 						echo "</td>";
 					
@@ -361,7 +358,12 @@ if (isset($_GET['action']) && $_GET['action'] == 'notify' AND isset($_GET['conte
 						}
 						$forum['forum_of_group']==0?$groupid='':$groupid=$forum['forum_of_group'];
 						
-						echo "<td><a href=\"viewforum.php?".api_get_cidreq()."&gidReq=".Security::remove_XSS($groupid)."&forum=".prepare4display($forum['forum_id'])."\" ".class_visible_invisible(prepare4display($forum['visibility'])).">".prepare4display($forum['forum_title']).$session_displayed.'</a>'.$forum_title_group_addition.'<br />'.prepare4display($forum['forum_comment'])."</td>";
+						
+						echo "<td><a href=\"viewforum.php?".api_get_cidreq()."&gidReq=".intval($groupid)."&forum=".intval($forum['forum_id'])."\" ".class_visible_invisible(prepare4display($forum['visibility'])).">";
+						//Forum title
+						
+						echo prepare4display($forum['forum_title']).$session_displayed.'</a>'.$forum_title_group_addition.'<br />'.prepare4display($forum['forum_comment']);
+						echo '</td>';
 						//$number_forum_topics_and_posts=get_post_topics_of_forum($forum['forum_id']); // deprecated
 						// the number of topics and posts
 						$number_threads=isset($forum['number_of_threads']) ? $forum['number_of_threads'] : null;