From 24974d5a3d69ec6d4306595542e84775519f9edf Mon Sep 17 00:00:00 2001
From: Yannick Warnier <ywarnier@beeznest.org>
Date: Wed, 25 Aug 2021 17:09:03 +0200
Subject: [PATCH] Plugin: OnlyOffice: Improve return URL definition

---
 plugin/onlyoffice/create.php | 141 ++++++++++++++---------------------
 1 file changed, 58 insertions(+), 83 deletions(-)

diff --git a/plugin/onlyoffice/create.php b/plugin/onlyoffice/create.php
index b484582245..e382a82e26 100644
--- a/plugin/onlyoffice/create.php
+++ b/plugin/onlyoffice/create.php
@@ -1,6 +1,7 @@
 <?php
 /**
- * (c) Copyright Ascensio System SIA 2021.
+ *
+ * (c) Copyright Ascensio System SIA 2021
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -13,7 +14,9 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
+ *
  */
+
 require_once __DIR__.'/../../main/inc/global.inc.php';
 
 use ChamiloSession as Session;
@@ -21,58 +24,42 @@ use ChamiloSession as Session;
 $plugin = OnlyofficePlugin::create();
 
 $mapFileFormat = [
-    "text" => $plugin->get_lang("document"),
+    "text" => $plugin->get_lang("document"), 
     "spreadsheet" => $plugin->get_lang("spreadsheet"),
-    "presentation" => $plugin->get_lang("presentation"),
+    "presentation" => $plugin->get_lang("presentation")
 ];
 
-$userId = !empty($_GET["userId"])? $_GET['userId'] : 0;
-$sessionId = !empty($_GET["sessionId"])? $_GET["sessionId"] :0;
-$docId = !empty($_GET["folderId"])? $_GET["folderId"] :0;
-$courseId = !empty($_GET["courseId"])? $_GET["courseId"] :0;
-$groupId = !empty($_GET["groupId"])? $_GET["groupId"] :0;
-$folderId = !empty($_GET["folderId"])? $_GET["folderId"] :0;
+$userId = $_GET["userId"];
+$sessionId = $_GET["sessionId"];
+$docId = $_GET["folderId"];
+$courseId = $_GET["courseId"];
 
 $courseInfo = api_get_course_info_by_id($courseId);
 $courseCode = $courseInfo["code"];
 
-$isMyDir = false;
-if (!empty($docId)) {
-    $docInfo = DocumentManager::get_document_data_by_id(
-        $docId,
-        $courseCode,
-        true,
-        $sessionId
-    );
-    $isMyDir = DocumentManager::is_my_shared_folder(
-        $userId,
-        $docInfo["absolute_path"],
-        $sessionId
-    );
-}
+$docInfo = DocumentManager::get_document_data_by_id($docId, $courseCode, true, $sessionId);
+
 $groupRights = Session::read('group_member_with_upload_rights');
 $isAllowToEdit = api_is_allowed_to_edit(true, true);
+$isMyDir = DocumentManager::is_my_shared_folder($userId, $docInfo["absolute_path"], $sessionId);
 if (!($isAllowToEdit || $isMyDir || $groupRights)) {
     api_not_allowed(true);
 }
 
-$form = new FormValidator(
-    "doc_create",
-    "post",
-    api_get_path(WEB_PLUGIN_PATH)."onlyoffice/create.php"
-);
+$form = new FormValidator("doc_create",
+                          "post",
+                          api_get_path(WEB_PLUGIN_PATH) . "onlyoffice/create.php");
 
 $form->addText("fileName", $plugin->get_lang("title"), true);
 $form->addSelect("fileFormat", $plugin->get_lang("chooseFileFormat"), $mapFileFormat);
 $form->addButtonCreate($plugin->get_lang("create"));
 
-$form->addHidden("groupId", $groupId);
-$form->addHidden("courseId", $courseId);
-$form->addHidden("sessionId", $sessionId);
-$form->addHidden("userId", $userId);
-$form->addHidden("folderId", $folderId);
-$form->addHidden("goBackUrl", Security::remove_XSS($_SERVER["HTTP_REFERER"]));
-$goBackUrl = api_get_path(WEB_CODE_PATH).'document/document.php?'.api_get_cidreq();
+$form->addHidden("groupId", (int) $_GET["groupId"]);
+$form->addHidden("courseId", (int) $_GET["courseId"]);
+$form->addHidden("sessionId", (int) $_GET["sessionId"]);
+$form->addHidden("userId", (int) $_GET["userId"]);
+$form->addHidden("folderId", (int) $_GET["folderId"]);
+$form->addHidden("goBackUrl", $_SERVER["HTTP_REFERER"]);
 
 if ($form->validate()) {
     $values = $form->exportValues();
@@ -82,41 +69,36 @@ if ($form->validate()) {
     $groupId = $values["groupId"];
     $sessionId = $values["sessionId"];
     $courseId = $values["courseId"];
-    $goBackUrl = Security::remove_XSS($values["goBackUrl"]);
+    $goBackUrl = $values["goBackUrl"];
 
     $fileType = $values["fileFormat"];
     $fileExt = FileUtility::getDocExt($fileType);
-    $fileTitle = Security::remove_XSS($values["fileName"]).".".$fileExt;
+    $fileTitle = $values["fileName"] . "." . $fileExt;
 
     $courseInfo = api_get_course_info_by_id($courseId);
     $courseCode = $courseInfo["code"];
-
+    
     $fileNamePrefix = DocumentManager::getDocumentSuffix($courseInfo, $sessionId, $groupId);
-    $fileName = preg_replace('/\.\./', '', $values["fileName"]).$fileNamePrefix.".".$fileExt;
+    $fileName = $values["fileName"] . $fileNamePrefix . "." . $fileExt;
+
     $groupInfo = GroupManager::get_group_properties($groupId);
 
     $emptyTemplatePath = TemplateManager::getEmptyTemplate($fileExt);
 
-    $folderPath = '';
     $fileRelatedPath = "/";
     if (!empty($folderId)) {
-        $document_data = DocumentManager::get_document_data_by_id(
-            $folderId,
-            $courseCode,
-            true,
-            $sessionId
-        );
+        $document_data = DocumentManager::get_document_data_by_id($folderId, $courseCode, true, $sessionId);
         $folderPath = $document_data["absolute_path"];
-        $fileRelatedPath = $fileRelatedPath.substr($document_data["absolute_path_from_document"], 10)."/".$fileName;
+        $fileRelatedPath = $fileRelatedPath . substr($document_data["absolute_path_from_document"], 10) . "/" . $fileName;
     } else {
-        $folderPath = api_get_path(SYS_COURSE_PATH).api_get_course_path($courseCode)."/document";
+        $folderPath = api_get_path(SYS_COURSE_PATH) . api_get_course_path($courseCode) . "/document";
         if (!empty($groupId)) {
-            $folderPath = $folderPath."/".$groupInfo["directory"];
-            $fileRelatedPath = $groupInfo["directory"]."/";
+            $folderPath = $folderPath . "/" . $groupInfo["directory"];
+            $fileRelatedPath = $groupInfo["directory"] . "/";
         }
-        $fileRelatedPath = $fileRelatedPath.$fileName;
+        $fileRelatedPath = $fileRelatedPath . $fileName;
     }
-    $filePath = $folderPath."/".$fileName;
+    $filePath = $folderPath . "/" . $fileName;
 
     if (file_exists($filePath)) {
         Display::addFlash(Display::return_message($plugin->get_lang("fileIsExist"), "error"));
@@ -130,47 +112,40 @@ if ($form->validate()) {
 
         chmod($filePath, api_get_permissions_for_new_files());
 
-        $documentId = add_document(
-            $courseInfo,
-            $fileRelatedPath,
-            "file",
-            filesize($filePath),
-            $fileTitle,
-            null,
-            false
-        );
+        $documentId = add_document($courseInfo,
+                                    $fileRelatedPath,
+                                    "file",
+                                    filesize($filePath),
+                                    $fileTitle,
+                                    null,
+                                    false);
         if ($documentId) {
-            api_item_property_update(
-                $courseInfo,
-               TOOL_DOCUMENT,
-                $documentId,
-                "DocumentAdded",
-                $userId,
-                $groupInfo,
-                null,
-                null,
-                null,
-                $sessionId
-            );
-
-            header("Location: ".$goBackUrl);
+            api_item_property_update($courseInfo,
+                                        TOOL_DOCUMENT,
+                                        $documentId,
+                                        "DocumentAdded",
+                                        $userId,
+                                        $groupInfo,
+                                        null,
+                                        null,
+                                        null,
+                                        $sessionId);
+
+            header("Location: " . $goBackUrl);
             exit();
         }
+
     } else {
-        Display::addFlash(
-            Display::return_message(
-                $plugin->get_lang("impossibleCreateFile"),
-                "error"
-            )
-        );
+        Display::addFlash(Display::return_message($plugin->get_lang("impossibleCreateFile"), "error"));
     }
 }
 
 display:
-    $goBackUrl = $goBackUrl ?: Security::remove_XSS($_SERVER["HTTP_REFERER"]);
-    $actionsLeft = '<a href="'.$goBackUrl.'">'.Display::return_icon("back.png", get_lang("Back")." ".get_lang("To")." ".get_lang("DocumentsOverview"), "", ICON_SIZE_MEDIUM)."</a>";
+    $goBackUrl = $goBackUrl ?: $_SERVER["HTTP_REFERER"];
+    $actionsLeft = '<a href="'. $goBackUrl . '">' . Display::return_icon("back.png", get_lang("Back") . " " . get_lang("To") . " " . get_lang("DocumentsOverview"), "", ICON_SIZE_MEDIUM) . "</a>";
 
     Display::display_header($plugin->get_lang("createNewDocument"));
     echo Display::toolbarAction("actions-documents", [$actionsLeft]);
     echo $form->returnForm();
     Display::display_footer();
+?>
\ No newline at end of file