From 272fd85c3a1f4f766dc905c941604b82ec894892 Mon Sep 17 00:00:00 2001
From: Cristian Fasanando <cristian.fasanando@beeznest.com>
Date: Mon, 22 Mar 2010 16:12:50 -0500
Subject: [PATCH] minor - added Security to output values inside thematic -
 partial BT#578

---
 main/course_progress/thematic.php            |  8 ++++----
 main/course_progress/thematic_controller.php | 20 ++++++++------------
 main/course_progress/thematic_plan.php       |  2 +-
 main/inc/lib/thematic.lib.php                | 11 +++++------
 4 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/main/course_progress/thematic.php b/main/course_progress/thematic.php
index 9ed8a1d2fd..8d0dd05985 100755
--- a/main/course_progress/thematic.php
+++ b/main/course_progress/thematic.php
@@ -38,7 +38,7 @@ if ($action == 'thematic_list') {
 
 	// display title
 	if (!empty($thematic_id)) {
-		echo '<div><strong>'.$thematic_data[$thematic_id]['title'].': '.get_lang('Details').'</strong></div><br />';							
+		echo '<div><strong>'.Security::remove_XSS($thematic_data[$thematic_id]['title'], STUDENT).': '.get_lang('Details').'</strong></div><br />';							
 	} else {
 		echo '<div><strong>'.get_lang('ThematicDetails').'</strong></div><br />';	
 		// display information
@@ -65,7 +65,7 @@ if ($action == 'thematic_list') {
 				echo '<tr>';
 				
 				// display thematic data		
-				echo '<td><div><strong>'.$thematic['title'].'</strong></div><div>'.$thematic['content'].'</div></td>';
+				echo '<td><div><strong>'.Security::remove_XSS($thematic['title'], STUDENT).'</strong></div><div>'.Security::remove_XSS($thematic['content'], STUDENT).'</div></td>';
 				
 				// display thematic plan data
 				echo '<td>';					
@@ -74,7 +74,7 @@ if ($action == 'thematic_list') {
 					}
 					if (!empty($thematic_plan_data[$thematic['id']])) {
 						foreach ($thematic_plan_data[$thematic['id']] as $thematic_plan) {
-							echo '<div><strong>'.$thematic_plan['title'].'</strong></div><div>'.$thematic_plan['description'].'</div>'; 
+							echo '<div><strong>'.Security::remove_XSS($thematic_plan['title'], STUDENT).'</strong></div><div>'.Security::remove_XSS($thematic_plan['description'], STUDENT).'</div>'; 
 						}
 					} else {
 						echo '<div><em>'.get_lang('StillDoNotHaveAThematicPlan').'</em></div>';
@@ -92,7 +92,7 @@ if ($action == 'thematic_list') {
 								echo '<tr>';
 								echo '<td width="90%">';
 									echo '<div><strong>'.api_convert_and_format_date($thematic_advance['start_date'], DATE_TIME_FORMAT_LONG, date_default_timezone_get()).'</strong></div>';
-									echo '<div>'.$thematic_advance['content'].'</div>';
+									echo '<div>'.Security::remove_XSS($thematic_advance['content'], STUDENT).'</div>';
 									echo '<div>'.get_lang('DurationInHours').' : '.$thematic_advance['duration'].'</div>';
 								echo '</td>';
 								if (empty($thematic_id) && api_is_allowed_to_edit(null, true)) {
diff --git a/main/course_progress/thematic_controller.php b/main/course_progress/thematic_controller.php
index 2c9f3e449c..996bdf847d 100755
--- a/main/course_progress/thematic_controller.php
+++ b/main/course_progress/thematic_controller.php
@@ -40,8 +40,8 @@ class ThematicController
 		
 		// insert or update a thematic		
 		if (strtoupper($_SERVER['REQUEST_METHOD']) == "POST") {																
-			if (isset($_POST['action']) && ($_POST['action'] == 'thematic_add' || $_POST['action'] == 'thematic_edit')) {
-				if (!empty($_POST['title'])) {
+			if (isset($_POST['action']) && ($_POST['action'] == 'thematic_add' || $_POST['action'] == 'thematic_edit')) {				
+				if (trim($_POST['title']) !== '') {
 		    		if ($_POST['thematic_token'] == $_SESSION['thematic_token']) {				    						    			
 		    			$id = $_POST['thematic_id'];
 		    			$title = $_POST['title'];
@@ -77,14 +77,12 @@ class ThematicController
 		
 		$thematic_id = isset($_GET['thematic_id'])?intval($_GET['thematic_id']):null;
 
-		if (isset($thematic_id)) {	
-			
+		if (isset($thematic_id)) {				
 			// delete a thematic					
 			if ($action == 'thematic_delete') {
 				$affected_rows = $thematic->thematic_destroy($thematic_id);
 				$action = 'thematic_list';
-			}	
-			
+			}				
 			// move thematic
 			if ($action == 'moveup') {
 				$thematic->move_thematic('up', $thematic_id);
@@ -92,8 +90,7 @@ class ThematicController
 			} else if ($action == 'movedown') {
 				$thematic->move_thematic('down', $thematic_id);
 				$action = 'thematic_list';
-			}
-					
+			}					
 			$data['thematic_data'] = $thematic->get_thematic_list($thematic_id);				
 			$data['thematic_id'] = $thematic_id;										
 		}
@@ -121,8 +118,7 @@ class ThematicController
 		$this->view->set_data($data);
 		$this->view->set_layout('layout'); 
 		$this->view->set_template('thematic');		       
-		$this->view->render();
-		
+		$this->view->render();		
 	}
 	
 	/**
@@ -136,8 +132,8 @@ class ThematicController
 		$error = false;
 		
 		if (strtoupper($_SERVER['REQUEST_METHOD']) == "POST") {   		
-    		if (isset($_POST['action']) && ($_POST['action'] == 'thematic_plan_add' || $_POST['action'] == 'thematic_plan_edit')) {	    			
-    			if (!empty($_POST['title'])) {
+    		if (isset($_POST['action']) && ($_POST['action'] == 'thematic_plan_add' || $_POST['action'] == 'thematic_plan_edit')) {    					
+    			if (trim($_POST['title']) !== '') {
     				if ($_POST['thematic_plan_token'] == $_SESSION['thematic_plan_token']) {						    						    				    			
 		    			$thematic_id = $_POST['thematic_id'];
 		    			$title = $_POST['title'];
diff --git a/main/course_progress/thematic_plan.php b/main/course_progress/thematic_plan.php
index 27330e7fa7..452e5d35b1 100755
--- a/main/course_progress/thematic_plan.php
+++ b/main/course_progress/thematic_plan.php
@@ -41,7 +41,7 @@ if ($action == 'thematic_plan_list') {
 				echo '<a href="'.api_get_self().'?cidReq='.api_get_course_id().'&thematic_id='.$thematic_plan['thematic_id'].'&action=thematic_plan_edit&description_type='.$thematic_plan['description_type'].'">';
 				echo Display::return_icon('edit.gif', get_lang('Edit'), array('style' => 'vertical-align:middle;float:right; padding-right:4px;'));
 				echo '</a> ';
-				echo $thematic_plan['title'];	
+				echo Security::remove_XSS($thematic_plan['title'], STUDENT);	
 			echo '</div>';
 			echo '<div class="sectioncomment">';
 			echo text_filter($thematic_plan['description']);
diff --git a/main/inc/lib/thematic.lib.php b/main/inc/lib/thematic.lib.php
index 428cf51bb5..70909e8191 100644
--- a/main/inc/lib/thematic.lib.php
+++ b/main/inc/lib/thematic.lib.php
@@ -81,7 +81,7 @@ class Thematic
 		}
 
 		while ($thematic = Database::fetch_row($res)) {			
-			$thematic[1] = '<a href="index.php?'.api_get_cidreq().'&action=thematic_details&thematic_id='.$thematic[0].$param_gradebook.'">'.$thematic[1].'</a>';			
+			$thematic[1] = '<a href="index.php?'.api_get_cidreq().'&action=thematic_details&thematic_id='.$thematic[0].$param_gradebook.'">'.Security::remove_XSS($thematic[1], STUDENT).'</a>';			
 			if (api_is_allowed_to_edit(null, true)) {
 				$actions  = '';						
 				$actions .= '<center><a href="index.php?'.api_get_cidreq().'&action=thematic_plan_list&thematic_id='.$thematic[0].$param_gradebook.'">'.Display::return_icon('info.gif',get_lang('ThematicPlan')).'</a>&nbsp;';
@@ -280,20 +280,19 @@ class Thematic
 				if (!empty($affected_rows)) {
 					// update row item property table
 					api_item_property_update($_course, TOOL_COURSE_PROGRESS, $id,"delete", $user_id);
-				}			
+				}
 			}
 		} else  {
 			$thematic_id	= intval($thematic_id);
 			$sql = "UPDATE $tbl_thematic SET active = 0 WHERE id = $thematic_id";
 			Database::query($sql);
-			$affected_rows = Database::affected_rows();	
+			$affected_rows = Database::affected_rows();
 			if (!empty($affected_rows)) {
 				// update row item property table
 				api_item_property_update($_course, TOOL_COURSE_PROGRESS, $thematic_id,"delete", $user_id);
-			}		
+			}
 		}
-		return $affected_rows;
-				
+		return $affected_rows;				
 	}
 	
 	/**