chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Security issue - Adding security::remove_XSS and intval functions

Browse Source
skala
Julio Montoya 16 years ago
parent a6e545c479
commit 4851a7529e
16 changed files with 48 additions and 103 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      main/gradebook/exercise_jump.php
  2. 20
      main/gradebook/gradebook.php
  3. 7
      main/gradebook/gradebook_add_cat.php
  4. 8
      main/gradebook/gradebook_add_eval.php
  5. 16
      main/gradebook/gradebook_add_link.php
  6. 2
      main/gradebook/gradebook_add_link_select_course.php
  7. 29
      main/gradebook/gradebook_add_result.php
  8. 5
      main/gradebook/gradebook_add_user.php
  9. 2
      main/gradebook/gradebook_display_certificate.php
  10. 18
      main/gradebook/gradebook_edit_all.php
  11. 4
      main/gradebook/gradebook_edit_cat.php
  12. 24
      main/gradebook/gradebook_showlog_link.php
  13. 8
      main/gradebook/lib/fe/displaygradebook.php
  14. 2
      main/gradebook/lib/fe/gradebooktable.class.php
  15. 2
      main/gradebook/lib/gradebook_data_generator.class.php
  16. 2
      main/gradebook/user_info.php

2
main/gradebook/exercise_jump.php
Unescape View File

@ -31,7 +31,7 @@ if (isset($_GET['doexercise'])) {
exit; exit;
} else { } else {
if (isset($_GET['gradebook'])) { if (isset($_GET['gradebook'])) {
$add_url = '&gradebook=view&exerciseId='.Security::remove_XSS((int)$_GET['exerciseId']); $add_url = '&gradebook=view&exerciseId='.intval($_GET['exerciseId']);
} }
header('Location: ../exercice/exercice.php?cidReq='.Security::remove_XSS($cidReq).'&show=result'.$add_url); header('Location: ../exercice/exercice.php?cidReq='.Security::remove_XSS($cidReq).'&show=result'.$add_url);
exit; exit;

20
main/gradebook/gradebook.php
Unescape View File

@ -177,7 +177,7 @@ if (isset ($_GET['visiblecat'])) {
} else { } else {
$visibility_command= 0; $visibility_command= 0;
} }
$cats= Category :: load(Security::remove_XSS($_GET['visiblecat'])); $cats= Category :: load($_GET['visiblecat']);
$cats[0]->set_visible($visibility_command); $cats[0]->set_visible($visibility_command);
$cats[0]->save(); $cats[0]->save();
$cats[0]->apply_visibility_to_children(); $cats[0]->apply_visibility_to_children();
@ -192,7 +192,7 @@ if (isset ($_GET['visiblecat'])) {
} }
if (isset ($_GET['deletecat'])) { if (isset ($_GET['deletecat'])) {
block_students(); block_students();
$cats= Category :: load(Security::remove_XSS($_GET['deletecat'])); $cats= Category :: load($_GET['deletecat']);
//delete all categories,subcategories and results //delete all categories,subcategories and results
if ($cats[0] != null) { if ($cats[0] != null) {
if ($cats[0]->get_id() != 0) { if ($cats[0]->get_id() != 0) {
@ -212,7 +212,7 @@ if (isset ($_GET['visibleeval'])) {
$visibility_command= 0; $visibility_command= 0;
} }
$eval= Evaluation :: load(Security::remove_XSS($_GET['visibleeval'])); $eval= Evaluation :: load($_GET['visibleeval']);
$eval[0]->set_visible($visibility_command); $eval[0]->set_visible($visibility_command);
$eval[0]->save(); $eval[0]->save();
unset ($eval); unset ($eval);
@ -226,7 +226,7 @@ if (isset ($_GET['visibleeval'])) {
} }
if (isset ($_GET['deleteeval'])) { if (isset ($_GET['deleteeval'])) {
block_students(); block_students();
$eval= Evaluation :: load(Security::remove_XSS($_GET['deleteeval'])); $eval= Evaluation :: load($_GET['deleteeval']);
if ($eval[0] != null) { if ($eval[0] != null) {
$eval[0]->delete_with_results(); $eval[0]->delete_with_results();
} }
@ -241,7 +241,7 @@ if (isset ($_GET['visiblelink'])) {
}else { }else {
$visibility_command= 0; $visibility_command= 0;
} }
$link= LinkFactory :: load(Security::remove_XSS($_GET['visiblelink'])); $link= LinkFactory :: load($_GET['visiblelink']);
$link[0]->set_visible($visibility_command); $link[0]->set_visible($visibility_command);
$link[0]->save(); $link[0]->save();
unset ($link); unset ($link);
@ -257,9 +257,9 @@ if (isset ($_GET['deletelink'])) {
block_students(); block_students();
//fixing #5229 //fixing #5229
if (!empty($_GET['deletelink'])) { if (!empty($_GET['deletelink'])) {
$link= LinkFactory :: load(Security::remove_XSS($_GET['deletelink'])); $link= LinkFactory :: load($_GET['deletelink']);
if ($link[0] != null) { if ($link[0] != null) {
$sql='UPDATE '.$tbl_forum_thread.' SET thread_qualify_max=0,thread_weight=0,thread_title_qualify="" WHERE thread_id=(SELECT ref_id FROM '.$tbl_grade_links.' where id='.Security::remove_XSS($_GET['deletelink']).');'; $sql='UPDATE '.$tbl_forum_thread.' SET thread_qualify_max=0,thread_weight=0,thread_title_qualify="" WHERE thread_id=(SELECT ref_id FROM '.$tbl_grade_links.' where id='.intval($_GET['deletelink']).');';
Database::query($sql); Database::query($sql);
$link[0]->delete(); $link[0]->delete();
} }
@ -412,9 +412,9 @@ if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) {
} else { } else {
if ($_SESSION['gradebook_dest'] == 'index.php') { if ($_SESSION['gradebook_dest'] == 'index.php') {
$gradebook_dest = $_SESSION['gradebook_dest'].'?cidReq='.Security::remove_XSS($_GET['course']).'&'; $gradebook_dest = Security::remove_XSS($_SESSION['gradebook_dest']).'?cidReq='.Security::remove_XSS($_GET['course']).'&';
} else { } else {
$gradebook_dest = $_SESSION['gradebook_dest']; $gradebook_dest = Security::remove_XSS($_SESSION['gradebook_dest']);
} }
$interbreadcrumb[]= array ( $interbreadcrumb[]= array (
@ -552,7 +552,7 @@ if (!empty($keyword)) {
if (!api_is_allowed_to_edit(true,true)) { if (!api_is_allowed_to_edit(true,true)) {
$user_id = api_get_user_id(); $user_id = api_get_user_id();
} }
$category = Category :: load (Security::remove_XSS($_GET['cat_id'])); $category = Category :: load ($_GET['cat_id']);
if ($category[0]->is_certificate_available($user_id)) { if ($category[0]->is_certificate_available($user_id)) {
$user= get_user_info_from_id($user_id); $user= get_user_info_from_id($user_id);
$scoredisplay = ScoreDisplay :: instance(); $scoredisplay = ScoreDisplay :: instance();

7
main/gradebook/gradebook_add_cat.php
Unescape View File

@ -52,15 +52,12 @@ if ($form->validate()) {
} }
$cat->set_visible($visible); $cat->set_visible($visible);
$cat->add(); $cat->add();
header('Location: '.$_SESSION['gradebook_dest'].'?addcat=&selectcat=' . $cat->get_parent_id()); header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?addcat=&selectcat=' . $cat->get_parent_id());
exit; exit;
} }
if ( !$_in_course ) { if ( !$_in_course ) {
$interbreadcrumb[] = array ( $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.$get_select_cat,'name' => get_lang('Gradebook'));
'url' => $_SESSION['gradebook_dest'].'?selectcat='.$get_select_cat,
'name' => get_lang('Gradebook')
);
} }
Display :: display_header(get_lang('NewCategory')); Display :: display_header(get_lang('NewCategory'));
$form->display(); $form->display();

8
main/gradebook/gradebook_add_eval.php
Unescape View File

@ -13,7 +13,7 @@ $is_allowedToEdit = $is_courseAdmin;
$evaladd = new Evaluation(); $evaladd = new Evaluation();
$evaladd->set_user_id($_user['user_id']); $evaladd->set_user_id($_user['user_id']);
if (isset ($_GET['selectcat']) && (!empty ($_GET['selectcat']))) { if (isset ($_GET['selectcat']) && (!empty ($_GET['selectcat']))) {
$evaladd->set_category_id(Database::escape_string($_GET['selectcat'])); $evaladd->set_category_id($_GET['selectcat']);
$cat = Category :: load($_GET['selectcat']); $cat = Category :: load($_GET['selectcat']);
$evaladd->set_course_code($cat[0]->get_course_code()); $evaladd->set_course_code($cat[0]->get_course_code());
} else { } else {
@ -46,7 +46,7 @@ if ($form->validate()) {
header('Location: gradebook_add_user.php?selecteval=' . $eval->get_id()); header('Location: gradebook_add_user.php?selecteval=' . $eval->get_id());
exit; exit;
} else { } else {
header('Location: '.$_SESSION['gradebook_dest'].'?selectcat=' . $eval->get_category_id()); header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=' . $eval->get_category_id());
exit; exit;
} }
} else { } else {
@ -55,14 +55,14 @@ if ($form->validate()) {
header('Location: gradebook_add_result.php?selecteval=' . $eval->get_id()); header('Location: gradebook_add_result.php?selecteval=' . $eval->get_id());
exit; exit;
} else { } else {
header('Location: '.$_SESSION['gradebook_dest'].'?selectcat=' . $eval->get_category_id()); header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=' . $eval->get_category_id());
exit; exit;
} }
} }
} }
$interbreadcrumb[] = array ( $interbreadcrumb[] = array (
'url' => $_SESSION['gradebook_dest'].'?selectcat='.$select_cat, 'url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.$select_cat,
'name' => get_lang('Gradebook' 'name' => get_lang('Gradebook'
)); ));
Display :: display_header(get_lang('NewEvaluation')); Display :: display_header(get_lang('NewEvaluation'));

16
main/gradebook/gradebook_add_link.php
Unescape View File

@ -43,14 +43,14 @@ if (isset($_GET['typeselected']) && $_GET['typeselected'] != '0') {
intval($_GET['typeselected']), intval($_GET['typeselected']),
null, null,
'add_link', 'add_link',
api_get_self() . '?selectcat=' . $_GET['selectcat'] api_get_self() . '?selectcat=' . Security::remove_XSS($_GET['selectcat'])
. '&typeselected=' . $_GET['typeselected'] . '&course_code=' . $_GET['course_code']); . '&typeselected=' . Security::remove_XSS($_GET['typeselected']) . '&course_code=' . Security::remove_XSS($_GET['course_code']));
if ($addform->validate()) { if ($addform->validate()) {
$addvalues = $addform->exportValues(); $addvalues = $addform->exportValues();
$link= LinkFactory :: create($_GET['typeselected']); $link= LinkFactory :: create($_GET['typeselected']);
$link->set_user_id(api_get_user_id()); $link->set_user_id(api_get_user_id());
if($category[0]->get_course_code() == '' && !empty($_GET['course_code'])) { if($category[0]->get_course_code() == '' && !empty($_GET['course_code'])) {
$link->set_course_code(Database::escape_string($_GET['course_code'])); $link->set_course_code($_GET['course_code']);
} else { } else {
$link->set_course_code($category[0]->get_course_code()); $link->set_course_code($category[0]->get_course_code());
@ -78,7 +78,6 @@ if (isset($_GET['typeselected']) && $_GET['typeselected'] != '0') {
$work_table = Database :: get_course_table(TABLE_STUDENT_PUBLICATION); $work_table = Database :: get_course_table(TABLE_STUDENT_PUBLICATION);
if ( isset($_GET['typeselected']) && 5==$_GET['typeselected'] && (isset($addvalues['select_link']) && $addvalues['select_link']<>"")) { if ( isset($_GET['typeselected']) && 5==$_GET['typeselected'] && (isset($addvalues['select_link']) && $addvalues['select_link']<>"")) {
$sql1='SELECT thread_title from '.$tbl_forum_thread.' where thread_id='.$addvalues['select_link'].';'; $sql1='SELECT thread_title from '.$tbl_forum_thread.' where thread_id='.$addvalues['select_link'].';';
$res1=Database::query($sql1); $res1=Database::query($sql1);
$rowtit=Database::fetch_row($res1); $rowtit=Database::fetch_row($res1);
@ -101,19 +100,14 @@ if (isset($_GET['typeselected']) && $_GET['typeselected'] != '0') {
header('Location: gradebook_add_result.php?selecteval=' . $link->get_ref_id()); header('Location: gradebook_add_result.php?selecteval=' . $link->get_ref_id());
exit; exit;
} else { } else {
header('Location: '.$_SESSION['gradebook_dest'].'?linkadded=&selectcat=' . $_GET['selectcat']); header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?linkadded=&selectcat=' . Security::remove_XSS($_GET['selectcat']));
exit; exit;
} }
} }
} }
$interbreadcrumb[]= array ('url' => $_SESSION['gradebook_dest'].'?selectcat=' .Security::remove_XSS($_GET['selectcat']),'name' => get_lang('Gradebook'));
$interbreadcrumb[]= array (
'url' => $_SESSION['gradebook_dest'].'?selectcat=' . $_GET['selectcat'],
'name' => get_lang('Gradebook'
));
Display :: display_header(get_lang('MakeLink')); Display :: display_header(get_lang('MakeLink'));
if (isset ($typeform)) { if (isset ($typeform)) {

2
main/gradebook/gradebook_add_link_select_course.php
Unescape View File

@ -27,7 +27,7 @@ if ($form->validate()) {
} }
$interbreadcrumb[] = array ( $interbreadcrumb[] = array (
'url' => $_SESSION['gradebook_dest'].'?selectcat='.Security::remove_XSS($_GET['selectcat']), 'url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.Security::remove_XSS($_GET['selectcat']),
'name' => get_lang('Gradebook' 'name' => get_lang('Gradebook'
)); ));
Display :: display_header(get_lang('NewCategory')); Display :: display_header(get_lang('NewCategory'));

29
main/gradebook/gradebook_add_result.php
Unescape View File

@ -1,27 +1,5 @@
<?php // $Id: $ <?php // $Id: $
/* /* For licensing terms, see /license.txt */
==============================================================================
Dokeos - elearning and course management software
Copyright (c) 2008 Dokeos Latinoamerica SAC
Copyright (c) 2006 Dokeos SPRL
Copyright (c) 2006 Ghent University (UGent)
Copyright (c) various contributors
For a full list of contributors, see "credits.txt".
The full license can be read in "license.txt".
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
See the GNU General Public License for more details.
Contact address: Dokeos, rue du Corbeau, 108, B-1030 Brussels, Belgium
Mail: info@dokeos.com
==============================================================================
*/
$language_file = 'gradebook'; $language_file = 'gradebook';
//$cidReset = true; //$cidReset = true;
require_once ('../inc/global.inc.php'); require_once ('../inc/global.inc.php');
@ -57,10 +35,7 @@ if ($add_result_form->validate()) {
header('Location: gradebook_view_result.php?addresult=&selecteval=' . Security::remove_XSS($_GET['selecteval'])); header('Location: gradebook_view_result.php?addresult=&selecteval=' . Security::remove_XSS($_GET['selecteval']));
exit; exit;
} }
$interbreadcrumb[] = array ( $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']),'name' => get_lang('Gradebook'));
'url' => $_SESSION['gradebook_dest'],
'name' => get_lang('Gradebook'
));
Display :: display_header(get_lang('AddResult')); Display :: display_header(get_lang('AddResult'));
DisplayGradebook :: display_header_result ($evaluation[0], null, 0,0); DisplayGradebook :: display_header_result ($evaluation[0], null, 0,0);
echo '<div class="main">'; echo '<div class="main">';

5
main/gradebook/gradebook_add_user.php
Unescape View File

@ -58,10 +58,7 @@ if ( isset($_POST['submit_button']) ) {
} }
} }
$interbreadcrumb[]= array ( $interbreadcrumb[]= array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']),'name' => get_lang('Gradebook'));
'url' => $_SESSION['gradebook_dest'],
'name' => get_lang('Gradebook'
));
$interbreadcrumb[]= array ( $interbreadcrumb[]= array (
'url' => 'gradebook_view_result.php?selecteval=' .Security::remove_XSS($_GET['selecteval']), 'url' => 'gradebook_view_result.php?selecteval=' .Security::remove_XSS($_GET['selecteval']),
'name' => get_lang('ViewResult' 'name' => get_lang('ViewResult'

2
main/gradebook/gradebook_display_certificate.php
Unescape View File

@ -24,7 +24,7 @@ if (!api_is_allowed_to_edit()) {
api_not_allowed(true); api_not_allowed(true);
} }
$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?', 'name' => get_lang('Gradebook')); $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?', 'name' => get_lang('Gradebook'));
$interbreadcrumb[] = array ('url' => $_SESSION['gradebook_dest'].'?selectcat='.Security::remove_XSS($_GET['cat_id']),'name' => get_lang('Details')); $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.Security::remove_XSS($_GET['cat_id']),'name' => get_lang('Details'));
$interbreadcrumb[] = array ('url' => 'gradebook_display_certificate.php?cat_id='.Security::remove_XSS($_GET['cat_id']),'name' => get_lang('GradebookListOfStudentsCertificates')); $interbreadcrumb[] = array ('url' => 'gradebook_display_certificate.php?cat_id='.Security::remove_XSS($_GET['cat_id']),'name' => get_lang('GradebookListOfStudentsCertificates'));
Display::display_header(''); Display::display_header('');

18
main/gradebook/gradebook_edit_all.php
Unescape View File

@ -33,24 +33,14 @@ if (empty($my_selectcat)) {
if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) { if (!isset($_GET['exportpdf']) and !isset($_GET['export_certificate'])) {
if (isset ($_GET['studentoverview'])) { if (isset ($_GET['studentoverview'])) {
$interbreadcrumb[]= array ( $interbreadcrumb[]= array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=' . Security::remove_XSS($_GET['selectcat']),'name' => get_lang('Gradebook'));
'url' => $_SESSION['gradebook_dest'].'?selectcat=' . Security::remove_XSS($_GET['selectcat']),
'name' => get_lang('Gradebook')
);
Display :: display_header(get_lang('FlatView')); Display :: display_header(get_lang('FlatView'));
} elseif (isset ($_GET['search'])) { } elseif (isset ($_GET['search'])) {
$interbreadcrumb[]= array ( $interbreadcrumb[]= array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=' . Security::remove_XSS($_GET['selectcat']),'name' => get_lang('Gradebook'));
'url' => $_SESSION['gradebook_dest'].'?selectcat=' . Security::remove_XSS($_GET['selectcat']),
'name' => get_lang('Gradebook')
);
Display :: display_header(get_lang('SearchResults')); Display :: display_header(get_lang('SearchResults'));
} else { } else {
$interbreadcrumb[] = array ('url' => $_SESSION['gradebook_dest'].'?selectcat=1', 'name' => get_lang('Gradebook')); $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=1', 'name' => get_lang('Gradebook'));
$interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?&selectcat='.Security::remove_XSS($_GET['selectcat']),'name' => get_lang('EditAllWeights'));
$interbreadcrumb[]= array (
'url' => $_SESSION['gradebook_dest'].'?&selectcat='.Security::remove_XSS($_GET['selectcat']),
'name' => get_lang('EditAllWeights'));
Display :: display_header(''); Display :: display_header('');

4
main/gradebook/gradebook_edit_cat.php
Unescape View File

@ -33,12 +33,12 @@ if ($form->validate()) {
} }
$cat->set_visible($visible); $cat->set_visible($visible);
$cat->save(); $cat->save();
header('Location: '.$_SESSION['gradebook_dest'].'?editcat=&selectcat=' . $cat->get_parent_id()); header('Location: '.Security::remove_XSS($_SESSION['gradebook_dest']).'?editcat=&selectcat=' . $cat->get_parent_id());
exit; exit;
} }
$selectcat = isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : ''; $selectcat = isset($_GET['selectcat']) ? Security::remove_XSS($_GET['selectcat']) : '';
$interbreadcrumb[] = array ( $interbreadcrumb[] = array (
'url' => $_SESSION['gradebook_dest'].'?selectcat='.$selectcat, 'url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.$selectcat,
'name' => get_lang('Gradebook' 'name' => get_lang('Gradebook'
)); ));
Display :: display_header(get_lang('EditCategory')); Display :: display_header(get_lang('EditCategory'));

24
main/gradebook/gradebook_showlog_link.php
Unescape View File

@ -2,26 +2,18 @@
/* For licensing terms, see /license.txt */ /* For licensing terms, see /license.txt */
$language_file = 'gradebook'; $language_file = 'gradebook';
//$cidReset = true; //$cidReset = true;
require_once ('../inc/global.inc.php'); require_once '../inc/global.inc.php';
require_once ('lib/be.inc.php'); require_once 'lib/be.inc.php';
require_once ('lib/gradebook_functions.inc.php'); require_once 'lib/gradebook_functions.inc.php';
require_once ('lib/fe/evalform.class.php'); require_once 'lib/fe/evalform.class.php';
api_block_anonymous_users(); api_block_anonymous_users();
block_students(); block_students();
$interbreadcrumb[] = array ( $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?','name' => get_lang('Gradebook'));
'url' => $_SESSION['gradebook_dest'].'?', $interbreadcrumb[] = array ('url' => Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat='.Security::remove_XSS($_GET['selectcat']),'name' => get_lang('Details'));
'name' => get_lang('Gradebook' $interbreadcrumb[] = array ('url' => 'gradebook_showlog_link.php?visiblelink='.Security::remove_XSS($_GET['visiblelink']).'&amp;selectcat='.Security::remove_XSS($_GET['selectcat']), 'name' => get_lang('GradebookQualifyLog'));
));
$interbreadcrumb[] = array (
'url' => $_SESSION['gradebook_dest'].'?selectcat='.Security::remove_XSS($_GET['selectcat']),
'name' => get_lang('Details'
));
$interbreadcrumb[] = array (
'url' => 'gradebook_showlog_link.php?visiblelink='.Security::remove_XSS($_GET['visiblelink']).'&amp;selectcat='.Security::remove_XSS($_GET['selectcat']),
'name' => get_lang('GradebookQualifyLog')
);
Display :: display_header(''); Display :: display_header('');
echo '<div class="clear"></div>'; echo '<div class="clear"></div>';
echo '<div class="actions">'; echo '<div class="actions">';

8
main/gradebook/lib/fe/displaygradebook.php
Unescape View File

@ -13,7 +13,7 @@ class DisplayGradebook
$status=CourseManager::get_user_in_course_status(api_get_user_id(), api_get_course_id()); $status=CourseManager::get_user_in_course_status(api_get_user_id(), api_get_course_id());
if ($shownavbar == '1' && $status==1) { if ($shownavbar == '1' && $status==1) {
$header = '<div class="actions">'; $header = '<div class="actions">';
$header .= '<a href="'.$_SESSION['gradebook_dest'].'?selectcat=' . $selectcat . '">'. Display::return_icon(('back.png'),get_lang('FolderView')) . get_lang('FolderView') . '</a>'; $header .= '<a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=' . $selectcat . '">'. Display::return_icon(('back.png'),get_lang('FolderView')) . get_lang('FolderView') . '</a>';
if ($evalobj->get_course_code() == null) { if ($evalobj->get_course_code() == null) {
$header .= '<a href="gradebook_add_user.php?selecteval=' . $evalobj->get_id() . '"><img src="../img/add_user_big.gif" alt="' . get_lang('AddStudent') . '" align="absmiddle" /> ' . get_lang('AddStudent') . '</a>'; $header .= '<a href="gradebook_add_user.php?selecteval=' . $evalobj->get_id() . '"><img src="../img/add_user_big.gif" alt="' . get_lang('AddStudent') . '" align="absmiddle" /> ' . get_lang('AddStudent') . '</a>';
} }
@ -71,7 +71,7 @@ class DisplayGradebook
*/ */
function display_header_flatview($catobj, $showeval, $showlink,$simple_search_form) { function display_header_flatview($catobj, $showeval, $showlink,$simple_search_form) {
$header= '<table border="0" cellpadding="5">'; $header= '<table border="0" cellpadding="5">';
$header .= '<td style="vertical-align: top;"><a href="'.$_SESSION['gradebook_dest'].'?selectcat=' . Security::remove_XSS($_GET['selectcat']) . '">' . Display::return_icon('gradebook.gif') . get_lang('Gradebook') . '</a></td>'; $header .= '<td style="vertical-align: top;"><a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).'?selectcat=' . Security::remove_XSS($_GET['selectcat']) . '">' . Display::return_icon('gradebook.gif') . get_lang('Gradebook') . '</a></td>';
$header .= '<td style="vertical-align: top;">' . get_lang('FilterCategory') . '</td><td style="vertical-align: top;"><form name="selector"><select name="selectcat" onchange="document.selector.submit()">'; $header .= '<td style="vertical-align: top;">' . get_lang('FilterCategory') . '</td><td style="vertical-align: top;"><form name="selector"><select name="selectcat" onchange="document.selector.submit()">';
$cats= Category :: load(); $cats= Category :: load();
$tree= $cats[0]->get_tree(); $tree= $cats[0]->get_tree();
@ -113,7 +113,7 @@ class DisplayGradebook
*/ */
function display_header_reduce_flatview($catobj, $showeval, $showlink,$simple_search_form) { function display_header_reduce_flatview($catobj, $showeval, $showlink,$simple_search_form) {
$header = '<div class="actions">'; $header = '<div class="actions">';
$header .= '<a href="'.$_SESSION['gradebook_dest'].'?'.api_get_cidreq().'">'. Display::return_icon('back.png',get_lang('FolderView')) . get_lang('FolderView') . '</a>'; $header .= '<a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).'?'.api_get_cidreq().'">'. Display::return_icon('back.png',get_lang('FolderView')) . get_lang('FolderView') . '</a>';
// $header .= '<td style="vertical-align: top;"><a href="' . api_get_self() . '?exportpdf=&offset='.Security::remove_XSS($_GET['offset']).'&search=' . Security::remove_XSS($_GET['search']).'&selectcat=' . $catobj->get_id() . '"><img src=../img/file_pdf.gif alt=' . get_lang('ExportPDF') . '/> ' . get_lang('ExportPDF') . '</a>'; // $header .= '<td style="vertical-align: top;"><a href="' . api_get_self() . '?exportpdf=&offset='.Security::remove_XSS($_GET['offset']).'&search=' . Security::remove_XSS($_GET['search']).'&selectcat=' . $catobj->get_id() . '"><img src=../img/file_pdf.gif alt=' . get_lang('ExportPDF') . '/> ' . get_lang('ExportPDF') . '</a>';
// this MUST be a GET variable not a POST // this MUST be a GET variable not a POST
@ -298,7 +298,7 @@ class DisplayGradebook
if ($message_resource===false ) { if ($message_resource===false ) {
$myname=$catobj->shows_all_information_an_category($catobj->get_id()); $myname=$catobj->shows_all_information_an_category($catobj->get_id());
$header .= '<td><a href="gradebook_edit_all.php?id_session='.$_SESSION['id_session'].'&amp;'.$my_api_cidreq.'&selectcat=' . $catobj->get_id() . '">'.Display::return_icon('statistics.gif', get_lang('EditAllWeights')).' ' . get_lang('EditAllWeights') . '</a>'; $header .= '<td><a href="gradebook_edit_all.php?id_session='.intval($_SESSION['id_session']).'&amp;'.$my_api_cidreq.'&selectcat=' . $catobj->get_id() . '">'.Display::return_icon('statistics.gif', get_lang('EditAllWeights')).' ' . get_lang('EditAllWeights') . '</a>';
$my_course_id=api_get_course_id(); $my_course_id=api_get_course_id();
$my_file= substr($_SESSION['gradebook_dest'],0,5); $my_file= substr($_SESSION['gradebook_dest'],0,5);
if (($my_file!='index' || $status_user==1) || api_is_platform_admin()) { if (($my_file!='index' || $status_user==1) || api_is_platform_admin()) {

2
main/gradebook/lib/fe/gradebooktable.class.php
Unescape View File

@ -345,7 +345,7 @@ private function build_id_column ($item) {
$cat=new Category(); $cat=new Category();
$show_message=$cat->show_message_resource_delete($item->get_course_code()); $show_message=$cat->show_message_resource_delete($item->get_course_code());
return '&nbsp;<a href="'.$_SESSION['gradebook_dest'].$prms_uri.'">' return '&nbsp;<a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).$prms_uri.'">'
. $item->get_name() . $item->get_name()
. '</a>' . '</a>'
. ($item->is_course() ? ' &nbsp;[' . $item->get_course_code() . ']'.$show_message : ''); . ($item->is_course() ? ' &nbsp;[' . $item->get_course_code() . ']'.$show_message : '');

2
main/gradebook/lib/gradebook_data_generator.class.php
Unescape View File

@ -114,7 +114,7 @@ class GradebookDataGenerator
function get_certificate_link($item) { function get_certificate_link($item) {
if(is_a($item, 'Category')) { if(is_a($item, 'Category')) {
if($item->is_certificate_available(api_get_user_id())) { if($item->is_certificate_available(api_get_user_id())) {
$link = '<a href="'.$_SESSION['gradebook_dest'].'?export_certificate=1&cat='.$item->get_id().'&user='.api_get_user_id().'">'.get_lang('Certificate').'</a>'; $link = '<a href="'.Security::remove_XSS($_SESSION['gradebook_dest']).'?export_certificate=1&cat='.$item->get_id().'&user='.api_get_user_id().'">'.get_lang('Certificate').'</a>';
return $link; return $link;
} }
} }

2
main/gradebook/user_info.php
Unescape View File

@ -24,7 +24,7 @@ require_once ('lib/gradebook_functions.inc.php');
require_once ('lib/fe/userform.class.php'); require_once ('lib/fe/userform.class.php');
block_students(); block_students();
$form = new UserForm(UserForm :: TYPE_USER_INFO, $user, 'user_info_form', null, api_get_self() . '?userid=' . $user_id . '&selectcat=' . $_GET['selectcat']); $form = new UserForm(UserForm :: TYPE_USER_INFO, $user, 'user_info_form', null, api_get_self() . '?userid=' . $user_id . '&selectcat=' . Security::remove_XSS($_GET['selectcat']));
if ($form->validate()) { if ($form->validate()) {
header('Location: user_stats.php?selectcat=' . Security::remove_XSS($_GET['selectcat']).'&userid=' .$user_id); header('Location: user_stats.php?selectcat=' . Security::remove_XSS($_GET['selectcat']).'&userid=' .$user_id);
exit; exit;

Write Preview
Loading…
Cancel
Save