chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r20496] remove_XSS in course description and info see FS#4169

Browse Source
skala
Carlos Vargas 16 years ago
parent 23c45150bd
commit 4616dd06b3
2 changed files with 11 additions and 11 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 8
      main/course_description/index.php
  2. 14
      main/course_info/infocours.php

8
main/course_description/index.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: index.php 20447 2009-05-10 10:07:04Z ivantcholakov $
<?php // $Id: index.php 20496 2009-05-11 21:05:32Z cvargas1 $
/* For licensing terms, see /dokeos_license.txt */
/**
==============================================================================
@ -209,11 +209,11 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') {
$title = $description['title'];
if ($description['description_id'] >= ADD_BLOCK) {
if ($description['edit']=='1') {
$sql = "UPDATE $tbl_course_description SET title = '".Database::escape_string($title)."', content = '".Database::escape_string($content)."' WHERE id = '".$description_id."' ";
$sql = "UPDATE $tbl_course_description SET title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."' WHERE id = '".$description_id."' ";
api_sql_query($sql, __FILE__, __LINE__);
} else {
$result = api_sql_query($sql, __FILE__, __LINE__);
$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string($title)."', content = '".Database::escape_string($content)."'";
$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'";
api_sql_query($sql, __FILE__, __LINE__);
}
/*$sql = "SELECT id FROM $tbl_course_description WHERE id = ".ADD_BLOCK;
@ -230,7 +230,7 @@ if (api_is_allowed_to_edit() && !is_null($description_id) || $action =='add') {
}
$sql = "DELETE FROM $tbl_course_description WHERE id = '".$description_id."'";
api_sql_query($sql, __FILE__, __LINE__);
$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string($title)."', content = '".Database::escape_string($content)."'";
$sql = "INSERT IGNORE INTO $tbl_course_description SET id = '".$description_id."', title = '".Database::escape_string(Security::remove_XSS($title))."', content = '".Database::escape_string(Security::remove_XSS($content))."'";
api_sql_query($sql, __FILE__, __LINE__);
}
Display :: display_confirmation_message(get_lang('CourseDescriptionUpdated'));

14
main/course_info/infocours.php
Unescape View File

@ -1,4 +1,4 @@
<?php // $Id: infocours.php 20343 2009-05-05 20:31:47Z juliomontoya $
<?php // $Id: infocours.php 20496 2009-05-11 21:05:32Z cvargas1 $
/*
==============================================================================
@ -158,16 +158,16 @@ $form->applyFilter('tutor_name','html_filter');
$prof -> setSelected($s_selected_tutor);
$form->add_textfield('title', get_lang('Title'), true, array ('size' => '60'));
$form->applyFilter('title','html_filter');
//$form->applyFilter('title','html_filter');
$form->applyFilter('title','trim');
$form->addElement('select', 'category_code', get_lang('Fac'), $categories);
$form->add_textfield('department_name', get_lang('Department'), false, array ('size' => '60'));
$form->applyFilter('department_name','html_filter');
//$form->applyFilter('department_name','html_filter');
$form->applyFilter('department_name','trim');
$form->add_textfield('department_url', get_lang('DepartmentUrl'), false, array ('size' => '60'));
$form->applyFilter('department_url','html_filter');
//$form->applyFilter('department_url','html_filter');
$form->addRule('tutor_name', get_lang('ThisFieldIsRequired'), 'required');
$form->addElement('select_language', 'course_language', get_lang('Ln'));
@ -305,12 +305,12 @@ if ($form->validate() && is_settings_editable()) {
$update_values[$index] = Database::escape_string($value);
}
$table_course = Database :: get_main_table(TABLE_MAIN_COURSE);
$sql = "UPDATE $table_course SET title = '".$update_values['title']."',
$sql = "UPDATE $table_course SET title = '".Security::remove_XSS($update_values['title'])."',
visual_code = '".$update_values['visual_code']."',
course_language = '".$update_values['course_language']."',
category_code = '".$update_values['category_code']."',
department_name = '".$update_values['department_name']."',
department_url = '".$update_values['department_url']."',
department_name = '".Security::remove_XSS($update_values['department_name'])."',
department_url = '".Security::remove_XSS($update_values['department_url'])."',
visibility = '".$update_values['visibility']."',
subscribe = '".$update_values['subscribe']."',
unsubscribe = '".$update_values['unsubscribe']."',

Write Preview
Loading…
Cancel
Save