chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20701] minor add remove_xss in docuement see FS#3909

Browse Source
skala
Carlos Vargas 16 years ago
parent 12137080c7
commit 36dc95b956
2 changed files with 6 additions and 6 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      main/document/document.php
  2. 8
      main/document/edit_document.php

4
main/document/document.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: document.php 19839 2009-04-17 19:55:53Z cvargas1 $
<?php // $Id: document.php 20701 2009-05-15 16:54:36Z cvargas1 $
/*
==============================================================================
Dokeos - elearning and course management software
@ -499,7 +499,7 @@ if($is_allowed_to_edit || $group_member_with_upload_rights) // TEACHER ONLY
{
//needed for directory creation
include_once(api_get_path(LIBRARY_PATH) . 'fileUpload.lib.php');
$post_dir_name=$_POST['dirname'];
$post_dir_name=Security::remove_XSS($_POST['dirname']);
if ($post_dir_name=='../' || $post_dir_name=='.' || $post_dir_name=='..')
{

8
main/document/edit_document.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: edit_document.php 20606 2009-05-13 20:50:17Z cvargas1 $
<?php // $Id: edit_document.php 20701 2009-05-15 16:54:36Z cvargas1 $
/*
==============================================================================
Dokeos - elearning and course management software
@ -336,9 +336,9 @@ function change_name($baseWorkDir, $sourceFile, $renameTo, $dir, $doc)
if (isset($_POST['newComment']))
{
//to try to fix the path if it is wrong
$commentPath = str_replace("//", "/", Database::escape_string($_POST['commentPath']));
$newComment = trim(Database::escape_string($_POST['newComment'])); // remove spaces
$newTitle = trim(Database::escape_string($_POST['newTitle'])); // remove spaces
$commentPath = str_replace("//", "/", Database::escape_string(Security::remove_XSS($_POST['commentPath'])));
$newComment = trim(Database::escape_string(Security::remove_XSS($_POST['newComment']))); // remove spaces
$newTitle = trim(Database::escape_string(Security::remove_XSS($_POST['newTitle']))); // remove spaces
// Check if there is already a record for this file in the DB
$result = api_sql_query ("SELECT * FROM $dbTable WHERE path LIKE BINARY '".$commentPath."'",__FILE__,__LINE__);
while($row = Database::fetch_array($result, 'ASSOC'))

Write Preview
Loading…
Cancel
Save