Use api_replace_dangerous_char

certificates/index.php

@@ -37,7 +37,7 @@ switch ($action) {
             $pageFormat = $pdfParams['orientation'] == 'landscape' ? 'A4-L' : 'A4';
 
             $userInfo = api_get_user_info($certificate->user_id);
-            $pdfName = replace_dangerous_char(get_lang('Certificate') . ' ' . $userInfo['username']);
+            $pdfName = api_replace_dangerous_char(get_lang('Certificate') . ' ' . $userInfo['username']);
 
             $pdf = new PDF($pageFormat, $pdfParams['orientation'], $pdfParams);
             $pdf->html_to_pdf($certificatePathList, $pdfName, null, false, false);

main/admin/configure_homepage.php

@@ -149,7 +149,7 @@ if (api_is_multiple_url_enabled()) {
 	if ($access_url_id != -1) {
 		$url_info = api_get_access_url($access_url_id);
 		$url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
-		$clean_url = replace_dangerous_char($url);
+		$clean_url = api_replace_dangerous_char($url);
 		$clean_url = str_replace('/', '-', $clean_url);
 		$clean_url .= '/';
 
@@ -406,7 +406,7 @@ if (!empty($action)) {
 				} else {
 					// New links are added as new files in the home/ directory
 					if ($action == 'insert_link' || $action == 'insert_tabs' || empty($filename) || strstr($filename, '/') || !strstr($filename, '.html')) {
-						$filename = replace_dangerous_char($link_name, 'strict').'.html';
+						$filename = api_replace_dangerous_char($link_name, 'strict').'.html';
 					}
 
 					// "home_" prefix for links are renamed to "user_" prefix (to avoid name clash with existing home page files)

main/admin/configure_inscription.php

@@ -69,7 +69,7 @@ if (api_is_multiple_url_enabled()) {
         $url_info = api_get_access_url($access_url_id);
         $url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
 
-        $clean_url = replace_dangerous_char($url);
+        $clean_url = api_replace_dangerous_char($url);
         $clean_url = str_replace('/', '-', $clean_url);
         $clean_url .= '/';
 

main/auth/inscription.php

@@ -6,7 +6,7 @@
  *  @package    chamilo.auth
  */
 
-use \ChamiloSession as Session;
+use ChamiloSession as Session;
 
 //quick hack to adapt the registration form result to the selected registration language
 if (!empty($_POST['language'])) {
@@ -294,7 +294,7 @@ if (!CustomPages::enabled()) {
         if ($access_url_id != -1) {
             $url_info = api_get_access_url($access_url_id);
             $url = api_remove_trailing_slash(preg_replace('/https?:\/\//i', '', $url_info['url']));
-            $clean_url = replace_dangerous_char($url);
+            $clean_url = api_replace_dangerous_char($url);
             $clean_url = str_replace('/', '-', $clean_url);
             $clean_url .= '/';
             $home_old  = api_get_path(SYS_PATH).'home/';
@@ -591,7 +591,7 @@ if ($form->validate()) {
     Session::write('is_allowedCreateCourse', $is_allowedCreateCourse);
 
     // Stats
-    Event::event_login();
+    Event::event_login($user_id);
 
     // last user login date is now
     $user_last_login_datetime = 0; // used as a unix timestamp it will correspond to : 1 1 1970

main/auth/profile.php

@@ -328,7 +328,7 @@ function upload_user_production($user_id) {
     if (!file_exists($production_repository)) {
         @mkdir($production_repository, api_get_permissions_for_new_directories(), true);
     }
-    $filename = replace_dangerous_char($_FILES['production']['name']);
+    $filename = api_replace_dangerous_char($_FILES['production']['name']);
     $filename = disable_dangerous_file($filename);
 
     if (filter_extension($filename)) {

main/document/create_audio.php

@@ -377,7 +377,7 @@ function downloadMP3_google($filepath, $dir)
 	}
 
 	$documentPath = $filepath.'/'.$audio_filename;
-
+	/*
 
 	//prev for a fine unicode, borrowed from main api TODO:clean
 	// Safe replacements for some non-letter characters (whitout blank spaces)
@@ -391,19 +391,20 @@ function downloadMP3_google($filepath, $dir)
 	// Transliteration to ASCII letters, they are not dangerous for filesystems.
 	$filename = api_transliterate($filename, 'x', $encoding);
     // Replacing remaining dangerous non-letter characters.
-    $clean_text = str_replace($search, $replace, $filename);
+    $clean_text = str_replace($search, $replace, $filename);*/
+	$clean_text = api_replace_dangerous_char($clean_text);
 
 	//adding the file
-		//add new file to disk
+	//add new file to disk
-		file_put_contents($documentPath, file_get_contents("http://translate.google.com/translate_tts?tl=".$clean_lang."&q=".urlencode($clean_text).""));
+	file_put_contents($documentPath, file_get_contents("http://translate.google.com/translate_tts?tl=".$clean_lang."&q=".urlencode($clean_text).""));
-		//add document to database
+	//add document to database
-		$current_session_id = api_get_session_id();
+	$current_session_id = api_get_session_id();
-		$groupId=$_SESSION['_gid'];
+	$groupId=$_SESSION['_gid'];
-		$file_size = filesize($documentPath);
+	$file_size = filesize($documentPath);
-		$relativeUrlPath=$dir;
+	$relativeUrlPath=$dir;
-		$doc_id = add_document($_course, $relativeUrlPath.$audio_filename, 'file', filesize($documentPath), $audio_title);
+	$doc_id = add_document($_course, $relativeUrlPath.$audio_filename, 'file', filesize($documentPath), $audio_title);
-		api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
+	api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
-        Display::display_confirmation_message(get_lang('DocumentCreated'));
+	Display::display_confirmation_message(get_lang('DocumentCreated'));
 	//return to location
 	echo '<script>window.location.href="'.$location.'"</script>';
 }
@@ -454,7 +455,7 @@ function downloadMP3_pediaphon($filepath, $dir){
 
 	$documentPath = $filepath.'/'.$audio_filename;
 
-	//prev for a fine unicode, borrowed from main api TODO:clean
+	/*//prev for a fine unicode, borrowed from main api TODO:clean
 	// Safe replacements for some non-letter characters (whitout blank spaces)
 	$search  = array("\0", "\t", "\n", "\r", "\x0B", '/', "\\", '"', "'", '?', '*', '>', '<', '|', ':', '$', '(', ')', '^', '[', ']', '#', '+', '&', '%');
 	$replace = array('',  '_',  '_',  '_',  '_',    '-', '-',  '-', '_', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-', '-');
@@ -466,7 +467,8 @@ function downloadMP3_pediaphon($filepath, $dir){
 	// Transliteration to ASCII letters, they are not dangerous for filesystems.
 	$filename = api_transliterate($filename, 'x', $encoding);
     // Replacing remaining dangerous non-letter characters.
-    $clean_text = str_replace($search, $replace, $filename);
+    $clean_text = str_replace($search, $replace, $filename);*/
+	$clean_text = api_replace_dangerous_char($clean_text);
 
 	//adding the file
 

main/document/create_document.php

@@ -253,7 +253,7 @@ $form->addElement('hidden', 'title_edited', 'false', 'id="title_edited"');
 function document_exists($filename) {
     global $dir;
     // Clean up the name, only ASCII characters should stay. (and strict)
-    $cleanName = replace_dangerous_char($filename, 'strict');
+    $cleanName = api_replace_dangerous_char($filename, 'strict');
 
     // No "dangerous" files
     $cleanName = disable_dangerous_file($cleanName);
@@ -409,7 +409,7 @@ if ($form->validate()) {
 	$filename = $values['title'];
 	$filename = addslashes(trim($filename));
 	$filename = Security::remove_XSS($filename);
-	$filename = replace_dangerous_char($filename);
+	$filename = api_replace_dangerous_char($filename);
 	$filename = disable_dangerous_file($filename);
     $filename .= DocumentManager::getDocumentSuffix(
         $_course,

main/document/document.php

@@ -1254,7 +1254,7 @@ if ($is_allowed_to_edit ||
                 $curdirpath = $document_data['path'];
             }
             $added_slash = ($curdirpath == '/') ? '' : '/';
-            $dir_name = $curdirpath.$added_slash.replace_dangerous_char($post_dir_name);
+            $dir_name = $curdirpath.$added_slash.api_replace_dangerous_char($post_dir_name);
             $dir_name = disable_dangerous_file($dir_name);
             $dir_check = $base_work_dir.$dir_name;
             $visibility = empty($groupId) ? null : 1;

main/document/save_pixlr.php

@@ -28,7 +28,7 @@ if(!isset($_GET['title']) || !isset($_GET['type']) || !isset($_GET['image'])) {
 
 if(!isset($_SESSION['paint_dir']) || !isset($_SESSION['whereami']) ){
 	api_not_allowed();
-	die();	
+	die();
 }
 
 //pixlr return
@@ -68,7 +68,7 @@ $contents = file_get_contents($urlcontents_to_save);//replace line 45.
 //a bit title security
 $filename = addslashes(trim($filename));
 $filename = Security::remove_XSS($filename);
-$filename = replace_dangerous_char($filename, 'strict');
+$filename = api_replace_dangerous_char($filename, 'strict');
 $filename = disable_dangerous_file($filename);
 
 if (strlen(trim($filename))==0) {
@@ -77,7 +77,7 @@ if (strlen(trim($filename))==0) {
 }
 
 //check file_get_contents
-if ($contents === false) { 
+if ($contents === false) {
 	echo "I cannot read: ".$urlcontents;
     exit;
 }
@@ -113,22 +113,22 @@ if(strpos($current_mime, 'image')===false) {
 $paintFileName = $filename.'.'.$extension;
 $title = $title.'.'.$extension;
 
-if($currentTool=='document/createpaint'){		
+if($currentTool=='document/createpaint'){
-	//check save as and prevent rewrite an older file with same name	
+	//check save as and prevent rewrite an older file with same name
 	if (0 != $groupId){
         $group_properties  = GroupManager :: get_group_properties($groupId);
         $groupPath = $group_properties['directory'];
 	} else {
 		$groupPath ='';
-	}	
+	}
-	
+
-	if (file_exists($saveDir.'/'.$filename.'.'.$extension)){ 
+	if (file_exists($saveDir.'/'.$filename.'.'.$extension)){
-		$i = 1;		
+		$i = 1;
 		while (file_exists($saveDir.'/'.$filename.'_'.$i.'.'.$extension)) $i++;
 		$paintFileName = $filename . '_' . $i . '.'.$extension;
 		$title = $filename . '_' . $i . '.'.$extension;
 	}
-	
+
 	//
 	$documentPath = $saveDir.'/'.$paintFileName;
 	//add new document to disk
@@ -138,25 +138,25 @@ if($currentTool=='document/createpaint'){
 	api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
 
 }elseif($currentTool=='document/editpaint'){
-	
+
 	$documentPath = $saveDir.'/'.$paintFileName;
 	//add new document to disk
 	file_put_contents( $documentPath, $contents );
-	
+
 	//check path
 	if(!isset($_SESSION['paint_file'])){
 		api_not_allowed();
 		die();
 	}
-	if($_SESSION['paint_file']==$paintFileName){		   
+	if($_SESSION['paint_file']==$paintFileName){
 		$document_id = DocumentManager::get_document_id($_course, $relativeUrlPath.'/'.$paintFileName);
 		update_existing_document($_course, $document_id, filesize($documentPath), null);
-		api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentUpdated', $_user['user_id'], $groupId, null, null, null, $current_session_id);		
+		api_item_property_update($_course, TOOL_DOCUMENT, $document_id, 'DocumentUpdated', $_user['user_id'], $groupId, null, null, null, $current_session_id);
 	}else{
 		//add a new document
 		$doc_id = add_document($_course, $relativeUrlPath.'/'.$paintFileName, 'file', filesize($documentPath), $title);
 		api_item_property_update($_course, TOOL_DOCUMENT, $doc_id, 'DocumentAdded', $_user['user_id'], $groupId, null, null, null, $current_session_id);
-	}	
+	}
 }
 
 
@@ -172,11 +172,11 @@ unset($_SESSION['temp_realpath_image']);
 
 if (!isset($_SESSION['exit_pixlr'])) {
 	$location=api_get_path(WEB_CODE_PATH).'document/document.php';
-	echo '<script>window.parent.location.href="'.$location.'"</script>';					 
+	echo '<script>window.parent.location.href="'.$location.'"</script>';
 	api_not_allowed(true);
-} else {	
+} else {
 	echo '<div align="center" style="padding-top:150; font-family:Arial, Helvetica, Sans-serif;font-size:25px;color:#aaa;font-weight:bold;">'.get_lang('PleaseStandBy').'</div>';
 	$location=api_get_path(WEB_CODE_PATH).'document/document.php?id='.Security::remove_XSS($_SESSION['exit_pixlr']);
 	echo '<script>window.parent.location.href="'.$location.'"</script>';
 	unset($_SESSION['exit_pixlr']);
-}
+}

main/dropbox/dropbox_functions.inc.php

@@ -836,7 +836,7 @@ function store_add_dropbox()
     // Try to add an extension to the file if it hasn't got one
     $dropbox_filename = add_ext_on_mime($dropbox_filename, $dropbox_filetype);
     // Replace dangerous characters
-    $dropbox_filename = replace_dangerous_char($dropbox_filename);
+    $dropbox_filename = api_replace_dangerous_char($dropbox_filename);
     // Transform any .php file in .phps fo security
     $dropbox_filename = php2phps($dropbox_filename);
 

main/exercice/hotpotatoes.php

@@ -100,7 +100,7 @@ if ((api_is_allowed_to_edit(null, true)) && (($finish == 0) || ($finish == 2)))
 
             if ($finish == 0) {
                 // Generate new test folder if on first step of file upload.
-                $filename = replace_dangerous_char(trim($_FILES['userFile']['name']), 'strict');
+                $filename = api_replace_dangerous_char(trim($_FILES['userFile']['name']), 'strict');
                 $fld = GenerateHpFolder($document_sys_path.$uploadPath.'/');
 
                 //$doc_id = add_document($_course, '/HotPotatoes_files/'.$fld, 'folder', 0, $fld);

main/gradebook/lib/fe/exportgradebook.php

@@ -205,7 +205,7 @@ function export_pdf_attendance($headers_table, $data_table, $headers_pdf, $foote
 	} else {
 		$mpdf->WriteHTML($html);
 	}
-	$mpdf->Output(replace_dangerous_char($title_pdf.'.pdf'), 'D');
+	$mpdf->Output(api_replace_dangerous_char($title_pdf.'.pdf'), 'D');
 	exit;
 }
 

main/inc/lib/course.lib.php

@@ -5413,20 +5413,20 @@ class CourseManager
      * Generates a course code from a course title
      * @todo Such a function might be useful in other places too. It might be moved in the CourseManager class.
      * @todo the function might be upgraded for avoiding code duplications (currently, it might suggest a code that is already in use)
-     * @param string A course title
+     * @param string $title A course title
-     * @param string The course title encoding (defaults to type defined globally)
      * @return string A proposed course code
+     * +
      * @assert (null,null) === false
      * @assert ('ABC_DEF', null) === 'ABCDEF'
      * @assert ('ABC09*^[%A', null) === 'ABC09A'
      */
-    public static function generate_course_code($course_title, $encoding = null)
+    public static function generate_course_code($title)
     {
-        if (empty($encoding)) {
+        return substr(
-            $encoding = api_get_system_encoding();
+            preg_replace('/[^A-Z0-9]/', '', strtoupper(api_replace_dangerous_char($title))),
-        }
+            0,
-        return substr(preg_replace('/[^A-Z0-9]/', '', strtoupper(api_transliterate($course_title, 'X', $encoding))), 0,
+            CourseManager::MAX_COURSE_LENGTH_CODE
-            CourseManager::MAX_COURSE_LENGTH_CODE);
+        );
     }
 
     /**

main/mySpace/user_add.php

@@ -231,7 +231,7 @@ if ($form->validate()) {
 			if (!is_dir(api_get_path(SYS_CODE_PATH).'upload/users/')) {
 				mkdir(api_get_path(SYS_CODE_PATH).'upload/users/', api_get_permissions_for_new_directories());
 			}
-			$picture_uri = uniqid('').'_'.replace_dangerous_char($picture['name']);
+			$picture_uri = uniqid('').'_'.api_replace_dangerous_char($picture['name']);
 			$picture_location = api_get_path(SYS_CODE_PATH).'upload/users/'.$picture_uri;
 			move_uploaded_file($picture['tmp_name'], $picture_location);
 		}