From 2b68b8876e92c687b88dc71b51135f62f2b21900 Mon Sep 17 00:00:00 2001
From: Ivan Tcholakov <ivantcholakov@gmail.com>
Date: Sat, 16 May 2009 09:28:22 +0200
Subject: [PATCH] [svn r20716] FS#306 - Replacing some natural language unsafe
 occurrences of the function htmlentities() and other similar fixes.

---
 main/chat/chat_chat.php                   |  6 +++---
 main/exercice/exercice.php                |  4 ++--
 main/exercice/hotspot_admin.inc.php       |  4 ++--
 main/exercice/question_list_admin.inc.php |  8 ++++----
 main/forum/viewthread_flat.inc.php        |  2 +-
 main/forum/viewthread_nested.inc.php      |  2 +-
 main/forum/viewthread_threaded.inc.php    |  2 +-
 main/link/link.php                        | 12 ++++++------
 main/messages/message.class.php           |  6 +++---
 main/reservation/m_category.php           |  4 ++--
 main/reservation/m_item.php               |  4 ++--
 main/reservation/m_item_origineel.php     |  4 ++--
 main/reservation/m_reservation.php        |  2 +-
 main/reservation/mysubscriptions.php      |  4 ++--
 main/work/work.lib.php                    |  6 +++---
 whoisonline.php                           |  6 +++---
 16 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/main/chat/chat_chat.php b/main/chat/chat_chat.php
index 755fceaf84..49d9aad988 100755
--- a/main/chat/chat_chat.php
+++ b/main/chat/chat_chat.php
@@ -134,7 +134,7 @@ if (!empty($course))
 	echo '<div style="margin-left: 5px;">';
 	foreach($content as $thisLine)
 	{
-		echo strip_tags(html_entity_decode($thisLine),'<br> <span> <b> <i> <img> <font>');
+		echo strip_tags(api_html_entity_decode($thisLine),'<br> <span> <b> <i> <img> <font>');
 	}
 	echo '</div>';
 	
@@ -147,7 +147,7 @@ if (!empty($course))
 	{
 		$rand=mt_rand(1,1000);		
 		echo '<div style="margin-left: 5px;">';
-		echo '<a href="'.api_get_self().'?rand='.$rand.'&reset=1&cidReq='.$_GET['cidReq'].'#bottom" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang('ConfirmReset'),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif', get_lang('ClearList')).' '.get_lang('ClearList').'</a>';
+		echo '<a href="'.api_get_self().'?rand='.$rand.'&reset=1&cidReq='.$_GET['cidReq'].'#bottom" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang('ConfirmReset'),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif', get_lang('ClearList')).' '.get_lang('ClearList').'</a>';
 		echo '</div>';
 	}
 }
@@ -158,4 +158,4 @@ else
 	Display :: display_error_message($message);	
 }
 include('footer_frame.inc.php');
-?>
\ No newline at end of file
+?>
diff --git a/main/exercice/exercice.php b/main/exercice/exercice.php
index 235255e5d1..90c48ea90d 100644
--- a/main/exercice/exercice.php
+++ b/main/exercice/exercice.php
@@ -1,5 +1,5 @@
 <?php
-// $Id: exercice.php 20648 2009-05-14 17:34:11Z cvargas1 $
+// $Id: exercice.php 20716 2009-05-16 07:28:22Z ivantcholakov $
 
 /*
 ==============================================================================
@@ -942,7 +942,7 @@ if ($show == 'test') {
 ?>
 
 <!--" /></a>-->	    
-			<a href="exercice.php?choice=delete&exerciseId=<?php echo $row['id']; ?>" onclick="javascript:if(!confirm('<?php echo addslashes(htmlentities(get_lang('AreYouSureToDelete'),ENT_QUOTES,$charset)); echo " ".$row['title']; echo "?"; ?>')) return false;"> <img src="../img/delete.gif" border="0" alt="<?php echo htmlentities(get_lang('Delete'),ENT_QUOTES,$charset); ?>" /></a>					
+			<a href="exercice.php?choice=delete&exerciseId=<?php echo $row['id']; ?>" onclick="javascript:if(!confirm('<?php echo addslashes(api_htmlentities(get_lang('AreYouSureToDelete'),ENT_QUOTES,$charset)); echo " ".$row['title']; echo "?"; ?>')) return false;"> <img src="../img/delete.gif" border="0" alt="<?php echo api_htmlentities(get_lang('Delete'),ENT_QUOTES,$charset); ?>" /></a>					
 			<?php
 
 				//if active
diff --git a/main/exercice/hotspot_admin.inc.php b/main/exercice/hotspot_admin.inc.php
index f0b4476de3..b8dec51f06 100644
--- a/main/exercice/hotspot_admin.inc.php
+++ b/main/exercice/hotspot_admin.inc.php
@@ -271,14 +271,14 @@ if($modifyAnswers)
 		?>
 			<input type="submit" class="minus" name="lessAnswers" value="<?php echo get_lang('LessHotspots'); ?>" >
 			<input type="submit" class="plus" name="moreAnswers" value="<?php echo get_lang('MoreHotspots'); ?>" />
-			<input type="submit" class="cancel" name="cancelAnswers" value="<?php echo get_lang('Cancel'); ?>" onclick="javascript:if(!confirm('<?php echo addslashes(htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;" >
+			<input type="submit" class="cancel" name="cancelAnswers" value="<?php echo get_lang('Cancel'); ?>" onclick="javascript:if(!confirm('<?php echo addslashes(api_htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;" >
 			<input type="submit" class="save" name="submitAnswers" value="<?php echo get_lang('Ok'); ?>" />			 
 		<?php
 			} else {				
 		?>
 			<button type="submit" class="minus" name="lessAnswers" value="<?php echo get_lang('LessHotspots'); ?>" ><?php echo get_lang('LessHotspots'); ?></button>
 			<button type="submit" class="plus" name="moreAnswers" value="<?php echo get_lang('MoreHotspots'); ?>" /><?php echo get_lang('langMoreHotspotsImage'); ?></button>
-			<button type="submit" class="cancel" name="cancelAnswers" value="<?php echo get_lang('Cancel'); ?>" onclick="javascript:if(!confirm('<?php echo addslashes(htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;" ><?php echo get_lang('Cancel'); ?></button>
+			<button type="submit" class="cancel" name="cancelAnswers" value="<?php echo get_lang('Cancel'); ?>" onclick="javascript:if(!confirm('<?php echo addslashes(api_htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;" ><?php echo get_lang('Cancel'); ?></button>
 			<button type="submit" class="save" name="submitAnswers" value="<?php echo get_lang('Ok'); ?>" /><?php echo get_lang('AddQuestionToExercise'); ?></button>
 		<?php
 			}
diff --git a/main/exercice/question_list_admin.inc.php b/main/exercice/question_list_admin.inc.php
index ed55eaf0c5..e9f7887849 100644
--- a/main/exercice/question_list_admin.inc.php
+++ b/main/exercice/question_list_admin.inc.php
@@ -1,4 +1,4 @@
-<?php // $Id: question_list_admin.inc.php 19894 2009-04-20 16:38:00Z cvargas1 $
+<?php // $Id: question_list_admin.inc.php 20716 2009-05-16 07:28:22Z ivantcholakov $
  
 /*
 ==============================================================================
@@ -28,7 +28,7 @@
 *	Code library for HotPotatoes integration.
 *	@package dokeos.exercise
 * 	@author
-* 	@version $Id: question_list_admin.inc.php 19894 2009-04-20 16:38:00Z cvargas1 $
+* 	@version $Id: question_list_admin.inc.php 20716 2009-05-16 07:28:22Z ivantcholakov $
 */
 
 
@@ -113,7 +113,7 @@ if($nbrQuestions) {
 			  	<td align="center"><?php echo $objQuestionTmp->selectLevel(); ?></td>
 			  	<!--<td align="center"><a href="<?php echo api_get_self(); ?>?action=exportqti2&questionId=<?php echo $id; ?>"><img src="../img/export.png" border="0" align="absmiddle" alt="IMS/QTI" /></a></td>-->
 			  	<td> <a href="<?php echo api_get_self(); ?>?myid=1&ed
-					itQuestion=<?php echo $id; ?>"><img src="../img/edit.gif" border="0" alt="<?php echo get_lang('Modify'); ?>" /></a> <a href="<?php echo api_get_self(); ?>?deleteQuestion=<?php echo $id; ?>" onclick="javascript:if(!confirm('<?php echo addslashes(htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;"><img src="../img/delete.gif" border="0" align="absmiddle" alt="<?php echo get_lang('Delete'); ?>" /></a>
+					itQuestion=<?php echo $id; ?>"><img src="../img/edit.gif" border="0" alt="<?php echo get_lang('Modify'); ?>" /></a> <a href="<?php echo api_get_self(); ?>?deleteQuestion=<?php echo $id; ?>" onclick="javascript:if(!confirm('<?php echo addslashes(api_htmlentities(get_lang('ConfirmYourChoice'))); ?>')) return false;"><img src="../img/delete.gif" border="0" align="absmiddle" alt="<?php echo get_lang('Delete'); ?>" /></a>
 				<?php 
 				if($i != 1) { ?>		
 						<a href="<?php echo api_get_self(); ?>?moveUp=<?php echo $id; ?>"><img src="../img/up.gif" border="0" alt="<?php echo get_lang('MoveUp'); ?>"></a>		
@@ -151,4 +151,4 @@ if(!$i) {
 }
 ?>
 </table>
-</div>
\ No newline at end of file
+</div>
diff --git a/main/forum/viewthread_flat.inc.php b/main/forum/viewthread_flat.inc.php
index 11430d0d04..9b3fd9d916 100644
--- a/main/forum/viewthread_flat.inc.php
+++ b/main/forum/viewthread_flat.inc.php
@@ -148,7 +148,7 @@ foreach ($rows as $row) {
 		echo ' "> '.$user_filename.' </a>';
 		echo '<span class="forum_attach_comment" >'.$attachment_list['comment'].'</span>';
 		if (($current_forum['allow_edit']==1 AND $row['user_id']==$_user['user_id']) or (api_is_allowed_to_edit(false,true)  && !(api_is_course_coach() && $current_forum['session_id']!=$_SESSION['id_session'])))	{
-		echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
+		echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
 		}
 		echo '</td></tr>';		
 	}
diff --git a/main/forum/viewthread_nested.inc.php b/main/forum/viewthread_nested.inc.php
index 0b785c14ee..d6ab650863 100644
--- a/main/forum/viewthread_nested.inc.php
+++ b/main/forum/viewthread_nested.inc.php
@@ -148,7 +148,7 @@ foreach ($rows as $post) {
 		echo ' "> '.$user_filename.' </a>';
 		echo '<span class="forum_attach_comment" >'.$attachment_list['comment'].'</span>';
 		if (($current_forum['allow_edit']==1 AND $post['user_id']==$_user['user_id']) or (api_is_allowed_to_edit(false,true)  && !(api_is_course_coach() && $current_forum['session_id']!=$_SESSION['id_session'])))	{
-		echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
+		echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
 		}	
 		echo '</td></tr>';		
 	}
diff --git a/main/forum/viewthread_threaded.inc.php b/main/forum/viewthread_threaded.inc.php
index 38e6889a31..e9713784fd 100644
--- a/main/forum/viewthread_threaded.inc.php
+++ b/main/forum/viewthread_threaded.inc.php
@@ -343,7 +343,7 @@ if (!empty($attachment_list))
 	echo ' "> '.$user_filename.' </a>';
 	echo '<span class="forum_attach_comment" >'.$attachment_list['comment'].'</span>';
 	if (($current_forum['allow_edit']==1 AND $rows[$display_post_id]['user_id']==$_user['user_id']) or (api_is_allowed_to_edit(false,true)  && !(api_is_course_coach() && $current_forum['session_id']!=$_SESSION['id_session'])))	{
-		echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
+		echo '&nbsp;&nbsp;<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;origin='.Security::remove_XSS($_GET['origin']).'&amp;action=delete_attach&amp;id_attach='.$attachment_list['id'].'&amp;forum='.Security::remove_XSS($_GET['forum']).'&amp;thread='.Security::remove_XSS($_GET['thread']).'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif',get_lang('Delete')).'</a><br />';
 	}	
 	echo '</td></tr>';		
 }
diff --git a/main/link/link.php b/main/link/link.php
index 7281be4e2e..da88afd455 100644
--- a/main/link/link.php
+++ b/main/link/link.php
@@ -1,4 +1,4 @@
-<?php // $Id: link.php 20497 2009-05-11 21:07:26Z juliomontoya $
+<?php // $Id: link.php 20716 2009-05-16 07:28:22Z ivantcholakov $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -341,7 +341,7 @@ if (is_allowed_to_edit() and isset($_GET['action'])) {
 						<span class="form_required">*</span> '.get_lang('CategoryName').'
 					</div>
 					<div class="formw">
-						<input type="text" name="category_title" size="50" value="'.htmlentities($category_title,ENT_QUOTES,$charset).'" />
+						<input type="text" name="category_title" size="50" value="'.api_htmlentities($category_title,ENT_QUOTES,$charset).'" />
 					</div>
 				</div>';
 		
@@ -350,7 +350,7 @@ if (is_allowed_to_edit() and isset($_GET['action'])) {
 						'.get_lang('Description').'
 					</div>
 					<div class="formw">
-						<textarea rows="3" cols="50" name="description">'.htmlentities($description,ENT_QUOTES,$charset).'</textarea>
+						<textarea rows="3" cols="50" name="description">'.api_htmlentities($description,ENT_QUOTES,$charset).'</textarea>
 					</div>
 				</div>';
 		
@@ -407,13 +407,13 @@ if (empty($_GET['action']) || ($_GET['action']!='editlink' && $_GET['action']!='
 		for($j = 1; $j <= $aantalcategories; $j++) {
 			echo "0";
 		}
-		echo "\">$shownone</a>";
+		echo "\">".get_lang('shownone')."</a>";
 		echo Display::return_icon('add.gif', $showall)." <a href=\"".api_get_self()."?".api_get_cidreq()."&urlview=";
 		for($j = 1; $j <= $aantalcategories; $j++)
 		{
 		echo "1";
 		}
-		echo "\">$showall</a>";
+		echo "\">".get_lang('showall')."</a>";
 	}
 	echo '</div>';
 
@@ -463,7 +463,7 @@ if (empty($_GET['action']) || ($_GET['action']!='editlink' && $_GET['action']!='
 				echo '<tr>';			
 					echo '<th width="81%"  style="font-weight: bold; text-align:left;padding-left: 5px;">';
 					echo '<a href="'.api_get_self()."?".api_get_cidreq()."&urlview=".Security::remove_XSS($newurlview)."\">";
-					echo "<img src=../img/remove.gif>&nbsp;&nbsp;".htmlentities($myrow["category_title"],ENT_QUOTES,$charset)."</a><br/>&nbsp;&nbsp;&nbsp;".$myrow["description"];
+					echo "<img src=../img/remove.gif>&nbsp;&nbsp;".api_htmlentities($myrow["category_title"],ENT_QUOTES,$charset)."</a><br/>&nbsp;&nbsp;&nbsp;".$myrow["description"];
 					
 					if (is_allowed_to_edit())
 						{	
diff --git a/main/messages/message.class.php b/main/messages/message.class.php
index a0e1e6d5f9..b13f3f4cf4 100755
--- a/main/messages/message.class.php
+++ b/main/messages/message.class.php
@@ -181,8 +181,8 @@ class MessageManager {
 	 public static function send_message ($receiver_user_id, $title, $content) {
         global $charset;
 		$table_message = Database::get_main_table(TABLE_MESSAGE);
-        $title = mb_convert_encoding($title,$charset,'UTF-8');
-        $content = mb_convert_encoding($content,$charset,'UTF-8');
+        $title = api_convert_encoding($title,$charset,'UTF-8');
+        $content = api_convert_encoding($content,$charset,'UTF-8');
 		//message in inbox
 		$sql = "SELECT COUNT(*) as count FROM $table_message WHERE user_sender_id = ".api_get_user_id()." AND user_receiver_id='".Database::escape_string($receiver_user_id)."' AND title = '".Database::escape_string($title)."' AND content ='".Database::escape_string($content)."' ";
 		$res_exist = api_sql_query($sql,__FILE__,__LINE__);
@@ -300,7 +300,7 @@ class MessageManager {
 				$message[2] = '<a onclick="show_sent_message ('.$result[0].')" href="#../messages/view_message.php?id_send='.$result[0].'">'.GetFullUserName($result[4]).'</a>';
 				$message[3] = '<a onclick="show_sent_message ('.$result[0].')" href="#../messages/view_message.php?id_send='.$result[0].'">'.$result[2].'</a>';
 				$message[5] = '<a href="new_message.php?re_id='.$result[0].'">'.Display::return_icon('message_reply.png',get_lang('ReplyToMessage')).'</a>'.
-						  '&nbsp;&nbsp;<a href="outbox.php?action=deleteone&id='.$result[0].'"  onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmDeleteMessage')))."'".')) return false;">'.Display::return_icon('message_delete.png',get_lang('DeleteMessage')).'</a>';
+						  '&nbsp;&nbsp;<a href="outbox.php?action=deleteone&id='.$result[0].'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang('ConfirmDeleteMessage')))."'".')) return false;">'.Display::return_icon('message_delete.png',get_lang('DeleteMessage')).'</a>';
 			}
 			$message[4] = $result[3]; //date stays the same
 			foreach($message as $key => $value) {
diff --git a/main/reservation/m_category.php b/main/reservation/m_category.php
index 46241a09f2..ebd13599f2 100644
--- a/main/reservation/m_category.php
+++ b/main/reservation/m_category.php
@@ -51,7 +51,7 @@ $interbreadcrumb[] = array ("url" => "../admin/index.php", "name" => get_lang('P
  *  @param - int $id The ResourceType-id
  */
 function modify_filter($id) {
-	return '<a href="m_category.php?action=edit&amp;id='.$id.'" title="'.get_lang("EditResourceType").'"><img alt="" src="../img/edit.gif" /></a>'.' <a href="m_category.php?action=delete&amp;id='.$id.'" title="'.get_lang("DeleteResourceType").'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteResourceType")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
+	return '<a href="m_category.php?action=edit&amp;id='.$id.'" title="'.get_lang("EditResourceType").'"><img alt="" src="../img/edit.gif" /></a>'.' <a href="m_category.php?action=delete&amp;id='.$id.'" title="'.get_lang("DeleteResourceType").'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteResourceType")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
 }
 
 /**
@@ -146,4 +146,4 @@ switch ($_GET['action']) {
  */
 
 Display :: display_footer();
-?>
\ No newline at end of file
+?>
diff --git a/main/reservation/m_item.php b/main/reservation/m_item.php
index 68af7352cd..b1a406c95b 100644
--- a/main/reservation/m_item.php
+++ b/main/reservation/m_item.php
@@ -59,7 +59,7 @@ function modify_filter($id) {
         $str.='<a href="m_item.php?action=edit&amp;id='.$id.'" title="'.get_lang("EditItem2").'"><img alt="" src="../img/edit.gif" /></a>';
     }
     //if(Rsys::item_allow($id,'m_rights')) $str.=' &nbsp;<a href="m_item.php?action=m_rights&amp;item_id='.$id.'" title="'.get_lang("MRights").'"><img alt="" src="../img/info_small.gif" /></a>';
-    if(Rsys::item_allow($id,'delete')) $str.=' <a href="m_item.php?action=delete&amp;id='.$id.'" title="'.get_lang('DeleteResource').'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteResource")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
+    if(Rsys::item_allow($id,'delete')) $str.=' <a href="m_item.php?action=delete&amp;id='.$id.'" title="'.get_lang('DeleteResource').'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteResource")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
  
     return $str;
 }
@@ -70,7 +70,7 @@ function modify_filter($id) {
  *  @param  -   int     $id     The item-rights-id's
  */
 function modify_rights_filter($id) {
-	return ' <a href="m_item.php?action=m_rights&amp;subaction=delete&amp;item_id='.substr($id, 0, strpos($id, '-')).'&amp;class_id='.substr($id, strrpos($id, '-') + 1).'" title="'.get_lang("RemoveClassRights").'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteResource")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
+	return ' <a href="m_item.php?action=m_rights&amp;subaction=delete&amp;item_id='.substr($id, 0, strpos($id, '-')).'&amp;class_id='.substr($id, strrpos($id, '-') + 1).'" title="'.get_lang("RemoveClassRights").'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteResource")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
 }
 
 /**
diff --git a/main/reservation/m_item_origineel.php b/main/reservation/m_item_origineel.php
index 39e996434d..3aa412ff95 100644
--- a/main/reservation/m_item_origineel.php
+++ b/main/reservation/m_item_origineel.php
@@ -50,7 +50,7 @@ function modify_filter($id) {
         $str.='<a href="m_item.php?action=edit&amp;id='.$id.'" title="'.get_lang("EditItem2").'"><img alt="" src="../img/edit.gif" /></a>';
     }
     if(Rsys::item_allow($id,'m_rights')) $str.=' &nbsp;<a href="m_item.php?action=m_rights&amp;item_id='.$id.'" title="'.get_lang("MRights").'"><img alt="" src="../img/info_small.gif" /></a>';
-    if(Rsys::item_allow($id,'delete')) $str.=' <a href="m_item.php?action=delete&amp;id='.$id.'" title="'.get_lang("DeleteItem").'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteItem")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
+    if(Rsys::item_allow($id,'delete')) $str.=' <a href="m_item.php?action=delete&amp;id='.$id.'" title="'.get_lang("DeleteItem").'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteItem")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';
     if(Rsys::item_allow($id,'edit')){
         $number = Rsys :: get_item($id);
         $str.= ' <a href="m_item.php?action=blackout&amp;id='.$id.'" title="'.get_lang("Blackout").'"><img alt="" src="../img/blackout'.$number[5].'.gif" /></a>';
@@ -430,4 +430,4 @@ switch ($_GET['action']) {
  */
 
 Display :: display_footer();
-?>
\ No newline at end of file
+?>
diff --git a/main/reservation/m_reservation.php b/main/reservation/m_reservation.php
index c0bd61d29e..dbd0b465e6 100644
--- a/main/reservation/m_reservation.php
+++ b/main/reservation/m_reservation.php
@@ -45,7 +45,7 @@ $tool_name = get_lang('BookingPeriodList');
 function modify_filter($id) {
 		$out = ' <a href="m_reservation.php?action=accept&amp;rid='.$id.'" alt="'.get_lang('AutoAccept').'"><img title="'.get_lang('AutoAccept').'"  alt="'.get_lang('AutoAccept').'" src="../img/students.gif" /></a>';
 		$out .= '<a href="m_reservation.php?action=edit&amp;id='.$id.'" alt="'.get_lang('EditBookingPeriod').'"><img title="'.get_lang('EditBookingPeriod').'" alt="'.get_lang('EditBookingPeriod').'" src="../img/edit.gif" /></a>';		
-		$out .= ' <a href="m_reservation.php?action=delete&amp;id='.$id.'" alt="'.get_lang('DeleteBookingPeriod').'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteBookingPeriod")))."'".')) return false;"><img title="'.get_lang('DeleteBookingPeriod').'" alt="'.get_lang('DeleteBookingPeriod').'" src="../img/delete.gif" /></a>';
+		$out .= ' <a href="m_reservation.php?action=delete&amp;id='.$id.'" alt="'.get_lang('DeleteBookingPeriod').'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteBookingPeriod")))."'".')) return false;"><img title="'.get_lang('DeleteBookingPeriod').'" alt="'.get_lang('DeleteBookingPeriod').'" src="../img/delete.gif" /></a>';
 		
 	return $out;
 }
diff --git a/main/reservation/mysubscriptions.php b/main/reservation/mysubscriptions.php
index af8f582efb..4ddd5b156f 100644
--- a/main/reservation/mysubscriptions.php
+++ b/main/reservation/mysubscriptions.php
@@ -44,7 +44,7 @@ $tool_name = get_lang('Booking');
  *  Filter to display the modify-buttons
  */
 function modify_filter($id){
-     return ' <a href="mysubscriptions.php?action=delete&amp;reservation_id='.substr($id,0,strpos($id,'-')).'&amp;dummy='.substr($id,strrpos($id,'-')+1).'" title="'.get_lang("DeleteSubscription").'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang("ConfirmDeleteSubscription")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';        
+     return ' <a href="mysubscriptions.php?action=delete&amp;reservation_id='.substr($id,0,strpos($id,'-')).'&amp;dummy='.substr($id,strrpos($id,'-')+1).'" title="'.get_lang("DeleteSubscription").'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmDeleteSubscription")))."'".')) return false;"><img alt="" src="../img/delete.gif" /></a>';        
 }
 
 /**
@@ -105,4 +105,4 @@ switch ($_GET['action']) {
  */
 
 Display :: display_footer(); 
-?>
\ No newline at end of file
+?>
diff --git a/main/work/work.lib.php b/main/work/work.lib.php
index d6af4b2906..a28825c0ea 100644
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@@ -1,4 +1,4 @@
-<?php //$Id: work.lib.php 20709 2009-05-15 19:12:37Z ivantcholakov $
+<?php //$Id: work.lib.php 20716 2009-05-16 07:28:22Z ivantcholakov $
 /* For licensing terms, see /dokeos_license.txt */
 /**
 *	@package dokeos.work
@@ -6,7 +6,7 @@
 * 	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default.
 * 	@author Roan Embrechts, code refactoring and virtual course support
 * 	@author Frederic Vauthier, directories management
-* 	@version $Id: work.lib.php 20709 2009-05-15 19:12:37Z ivantcholakov $
+* 	@version $Id: work.lib.php 20716 2009-05-16 07:28:22Z ivantcholakov $
 */
 /**
  * Displays action links (for admins, authorized groups members and authorized students)
@@ -52,7 +52,7 @@ function display_action_links($cur_dir_path, $always_show_tool_options, $always_
 	{
 		// delete all files
 		$display_output .= 	"<a href=\"".api_get_self()."?".api_get_cidreq()."&amp;curdirpath=".$cur_dir_path."&amp;origin=$origin&amp;gradebook=$gradebook&amp;delete=all\" ".
-			"onclick=\"javascript:if(!confirm('".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."')) return false;\">".
+			"onclick=\"javascript:if(!confirm('".addslashes(api_htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."')) return false;\">".
 			Display::return_icon('delete.gif', get_lang('Delete')).' '.get_lang('DeleteAllFiles')."</a>";
 
 		// make all files visible or invisible
diff --git a/whoisonline.php b/whoisonline.php
index 923bdaa7a2..581a91ab63 100644
--- a/whoisonline.php
+++ b/whoisonline.php
@@ -1,4 +1,4 @@
-<?php // $Id: whoisonline.php 20561 2009-05-12 19:35:39Z juliomontoya $
+<?php // $Id: whoisonline.php 20716 2009-05-16 07:28:22Z ivantcholakov $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -382,7 +382,7 @@ else
 	Display::display_header(get_lang('UsersOnLineList'));
 	Display::display_error_message(get_lang('AccessNotAllowed'));
 }
-$referer = empty($_GET['referer'])?'index.php':htmlentities(strip_tags($_GET['referer']),ENT_QUOTES,$charset);
+$referer = empty($_GET['referer'])?'index.php':api_htmlentities(strip_tags($_GET['referer']),ENT_QUOTES,$charset);
 echo '<div class="actions">';
 if (isset($_GET['id'])) {
 	echo '<a href="whoisonline.php" class="fake_button_back">'.get_lang('Back').'</a>';	
@@ -397,4 +397,4 @@ echo '</div>';
 */
 /*echo '<div align="center"><a href="http://main.svndokeos.net/main/upload/users/4/4_49aeb3bb8bba5.jpg" class="thickbox">hola</a></div>';*/
 Display::display_footer();
-?>
\ No newline at end of file
+?>