From 388bdff34ffabe0bcb6b474fbbbeb05637fb0ff9 Mon Sep 17 00:00:00 2001 From: Francis Gonzales Date: Mon, 7 Apr 2014 11:59:37 -0500 Subject: [PATCH] allow the new youtube src when copy from it and avoid xss security from google chrome when there is an iframe - refs BT#7930 --- .../course_description_controller.php | 187 +++++++++--------- .../HTMLPurifier/Filter/AllowIframes.php | 6 +- 2 files changed, 99 insertions(+), 94 deletions(-) diff --git a/main/course_description/course_description_controller.php b/main/course_description/course_description_controller.php index a9089fbe64..20a7bfe2a5 100644 --- a/main/course_description/course_description_controller.php +++ b/main/course_description/course_description_controller.php @@ -38,13 +38,19 @@ class CourseDescriptionController { // extends Controller { $data = array(); $course_description_data = $course_description->get_description_data(); - + $data['descriptions'] = $course_description_data['descriptions']; $data['default_description_titles'] = $course_description->get_default_description_title(); $data['default_description_title_editable'] = $course_description->get_default_description_title_editable(); $data['default_description_icon'] = $course_description->get_default_description_icon(); $data['messages'] = $messages; - + + $browser = api_get_navigator(); + + if (strpos($data['descriptions'], 'view->set_data($data); $this->view->set_layout('layout'); @@ -57,97 +63,96 @@ class CourseDescriptionController { // extends Controller { * render to listing or edit view * @param int description type */ - public function edit($id, $description_type) { - $course_description = new CourseDescription(); - $session_id = api_get_session_id(); - $course_description->set_session_id($session_id); - $data = array(); - $data['id'] = $id; - if (strtoupper($_SERVER['REQUEST_METHOD']) == "POST") { - if (!empty($_POST['title']) && !empty($_POST['contentDescription'])) { - - $check = Security::check_token(); - if ($check) { - $title = $_POST['title']; - if (api_get_setting('wcag_anysurfer_public_pages')=='true') { - $content = WCAG_Rendering::prepareXHTML(); - } else { - $content = $_POST['contentDescription']; - } - $description_type = $_POST['description_type']; - $id = $_POST['id']; - $progress = $_POST['progress']; - - $course_description->set_description_type($description_type); - $course_description->set_title($title); - $course_description->set_content($content); - - $course_description->set_progress($progress); - - $thematic_advance = $course_description->get_data_by_id($id); - - if (!empty($thematic_advance)) { - $course_description->set_id($id); - $affected_rows = $course_description->update(); - } else { - $affected_rows = $course_description->insert(); + public function edit($id, $description_type) + { + $course_description = new CourseDescription(); + $session_id = api_get_session_id(); + $course_description->set_session_id($session_id); + $data = array(); + $data['id'] = $id; + if (strtoupper($_SERVER['REQUEST_METHOD']) == "POST") { + if (!empty($_POST['title']) && !empty($_POST['contentDescription'])) { + + $check = Security::check_token(); + if ($check) { + $title = $_POST['title']; + if (api_get_setting('wcag_anysurfer_public_pages') == 'true') { + $content = WCAG_Rendering::prepareXHTML(); + } else { + $content = $_POST['contentDescription']; + } + $description_type = $_POST['description_type']; + $id = $_POST['id']; + $progress = $_POST['progress']; + $course_description->set_description_type($description_type); + $course_description->set_title($title); + $course_description->set_content($content); + + $course_description->set_progress($progress); + + $thematic_advance = $course_description->get_data_by_id($id); + + if (!empty($thematic_advance)) { + $course_description->set_id($id); + $affected_rows = $course_description->update(); + } else { + $affected_rows = $course_description->insert(); + } + Security::clear_token(); } - Security::clear_token(); - } - - if ($affected_rows) { - $message['edit'] = true; - } - $this->listing(false,$message); - - } else { - $data['error'] = 1; - $data['default_description_titles'] = $course_description->get_default_description_title(); - $data['default_description_title_editable'] = $course_description->get_default_description_title_editable(); - $data['default_description_icon'] = $course_description->get_default_description_icon(); - $data['question'] = $course_description->get_default_question(); - $data['information'] = $course_description->get_default_information(); - $data['description_title'] = $_POST['title']; - $data['description_content'] = $_POST['contentDescription']; - $data['description_type'] = $_POST['description_type']; - $data['progress'] = $_POST['progress']; - $data['descriptions'] = $course_description->get_data_by_id($_POST['id']); - // render to the view - $this->view->set_data($data); - $this->view->set_layout('layout'); - $this->view->set_template('edit'); - $this->view->render(); - } - } else { - - $data['default_description_titles'] = $course_description->get_default_description_title(); - $data['default_description_title_editable'] = $course_description->get_default_description_title_editable(); - $data['default_description_icon'] = $course_description->get_default_description_icon(); - $data['question'] = $course_description->get_default_question(); - $data['information'] = $course_description->get_default_information(); - - $data['description_type'] = $description_type; - - if (!empty($id)) { - if (isset($_GET['id_session'])) { - $session_id = intval($_GET['id_session']); - } - $course_description_data = $course_description->get_data_by_id($id, null, $session_id); - $data['description_type'] = $course_description_data['description_type']; - $data['description_title'] = $course_description_data['description_title']; - $data['description_content'] = $course_description_data['description_content']; - $data['progress'] = $course_description_data['progress']; - $data['descriptions'] = $course_description->get_data_by_description_type($description_type, null, $session_id); - } - // render to the view - $this->view->set_data($data); - $this->view->set_layout('layout'); - $this->view->set_template('edit'); - $this->view->render(); + + if ($affected_rows) { + $message['edit'] = true; + } + $this->listing(false, $message); + } else { + $data['error'] = 1; + $data['default_description_titles'] = $course_description->get_default_description_title(); + $data['default_description_title_editable'] = $course_description->get_default_description_title_editable(); + $data['default_description_icon'] = $course_description->get_default_description_icon(); + $data['question'] = $course_description->get_default_question(); + $data['information'] = $course_description->get_default_information(); + $data['description_title'] = $_POST['title']; + $data['description_content'] = $_POST['contentDescription']; + $data['description_type'] = $_POST['description_type']; + $data['progress'] = $_POST['progress']; + $data['descriptions'] = $course_description->get_data_by_id($_POST['id']); + // render to the view + $this->view->set_data($data); + $this->view->set_layout('layout'); + $this->view->set_template('edit'); + $this->view->render(); + } + } else { + + $data['default_description_titles'] = $course_description->get_default_description_title(); + $data['default_description_title_editable'] = $course_description->get_default_description_title_editable(); + $data['default_description_icon'] = $course_description->get_default_description_icon(); + $data['question'] = $course_description->get_default_question(); + $data['information'] = $course_description->get_default_information(); + + $data['description_type'] = $description_type; + + if (!empty($id)) { + if (isset($_GET['id_session'])) { + $session_id = intval($_GET['id_session']); + } + $course_description_data = $course_description->get_data_by_id($id, null, $session_id); + $data['description_type'] = $course_description_data['description_type']; + $data['description_title'] = $course_description_data['description_title']; + $data['description_content'] = $course_description_data['description_content']; + $data['progress'] = $course_description_data['progress']; + $data['descriptions'] = $course_description->get_data_by_description_type($description_type, null, $session_id); + } + // render to the view + $this->view->set_data($data); + $this->view->set_layout('layout'); + $this->view->set_template('edit'); + $this->view->render(); + } } - } - - /** + + /** * It's used for adding a course description, * render to listing or add view */ diff --git a/main/inc/lib/htmlpurifier/library/HTMLPurifier/Filter/AllowIframes.php b/main/inc/lib/htmlpurifier/library/HTMLPurifier/Filter/AllowIframes.php index b0276abb5d..1b081fb505 100644 --- a/main/inc/lib/htmlpurifier/library/HTMLPurifier/Filter/AllowIframes.php +++ b/main/inc/lib/htmlpurifier/library/HTMLPurifier/Filter/AllowIframes.php @@ -46,14 +46,14 @@ class HTMLPurifier_Filter_AllowIframes extends HTMLPurifier_Filter protected function postFilterCallback($matches) { // Domain Whitelist - + $youTubeNewMatch = preg_match('#src="//www.youtube(-nocookie)?.com/#i', $matches[1]); $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]); $vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]); $googleMapsMatch = preg_match('#src="https://maps.google.com/#i', $matches[1]); - if ($youTubeMatch || $vimeoMatch || $googleMapsMatch) { + if ($youTubeMatch || $vimeoMatch || $googleMapsMatch || $youTubeNewMatch) { $extra = ' frameborder="0"'; - if ($youTubeMatch) { + if ($youTubeMatch || $youTubeNewMatch) { $extra .= ' allowfullscreen'; } elseif ($vimeoMatch) { $extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen';