Add html filter to form fields

main/admin/configure_homepage.php

@@ -7,6 +7,8 @@
  * @package chamilo.admin
  */
 
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
+
 /**
  * Creates menu tabs for logged and anonymous users.
  *
@@ -58,6 +60,8 @@ $this_page = '';
 
 api_protect_admin_script();
 
+$httpRequest = HttpRequest::createFromGlobals();
+
 $htmlHeadXtra[] = '<script>
 $(function() {
     $("#all_langs").change(function() {
@@ -382,14 +386,14 @@ if (!empty($action)) {
             case 'edit_tabs':
             case 'insert_link':
             case 'edit_link':
-                $link_index = (isset($_POST['link_index']) ? intval($_POST['link_index']) : 0);
-                $insert_where = (isset($_POST['insert_where']) ? intval($_POST['insert_where']) : 0);
-                $link_name = trim(stripslashes($_POST['link_name']));
-                $link_url = trim(stripslashes($_POST['link_url']));
-                $add_in_tab = (isset($_POST['add_in_tab']) ? intval($_POST['add_in_tab']) : 0);
-                $link_html = trim(stripslashes($_POST['link_html']));
-                $filename = trim(stripslashes($_POST['filename']));
-                $target_blank = isset($_POST['target_blank']);
+                $link_index = $httpRequest->request->getInt('link_index');
+                $insert_where = $httpRequest->request->getInt('insert_where');
+                $link_name = Security::remove_XSS($httpRequest->request->get('link_name'));
+                $link_url = Security::remove_XSS($_POST['link_url']);
+                $add_in_tab = $httpRequest->request->getInt('add_in_tab');
+                $link_html = Security::remove_XSS($_POST['link_html']);
+                $filename = Security::remove_XSS($_POST['filename']);
+                $target_blank = $httpRequest->request->has('target_blank');
 
                 if ($link_url == 'http://' || $link_url == 'https://') {
                     $link_url = '';
@@ -895,12 +899,14 @@ switch ($action) {
         $form->addElement('hidden', 'filename', ($action == 'edit_link' || $action == 'edit_tabs') ? (!empty($filename) ? $filename : '') : '');
 
         $form->addElement('text', 'link_name', get_lang('LinkName'), ['size' => '30', 'maxlength' => '50']);
+        $form->applyFilter('text', 'html_filter');
         if (!empty($link_name)) {
             $default['link_name'] = $link_name;
         }
         $default['link_url'] = empty($link_url) ? 'http://' : api_htmlentities($link_url, ENT_QUOTES);
         $linkUrlComment = ($action == 'insert_tabs') ? get_lang('Optional').'<br />'.get_lang('GlobalLinkUseDoubleColumnPrivateToShowPrivately') : '';
         $form->addElement('text', 'link_url', [get_lang('LinkURL'), $linkUrlComment], ['size' => '30', 'maxlength' => '100', 'style' => 'width: 350px;']);
+        $form->applyFilter('link_url', 'html_filter');
 
         $options = ['-1' => get_lang('FirstPlace')];
 
@@ -1139,12 +1145,32 @@ switch ($action) {
                                             $home_menu = explode("\n", $home_menu);
                                         }
                                         $i = 0;
+
+                                        $editIcon = Display::return_icon('edit.png', get_lang('Edit'));
+                                        $deleteIcon = Display::return_icon('delete.png', get_lang('Delete'));
+
                                         foreach ($home_menu as $enreg) {
                                             $enreg = trim($enreg);
                                             if (!empty($enreg)) {
-                                                $edit_link = '<a href="'.$selfUrl.'?action=edit_link&amp;link_index='.$i.'">'.Display::return_icon('edit.png', get_lang('Edit')).'</a>';
-                                                $delete_link = '<a href="'.$selfUrl.'?action=delete_link&amp;link_index='.$i.'" onclick="javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang('ConfirmYourChoice'), ENT_QUOTES)).'\')) return false;">'.Display::return_icon('delete.png', get_lang('Delete')).'</a>';
-                                                echo str_replace(['href="'.api_get_path(WEB_PATH).'index.php?include=', '</li>'], ['href="'.api_get_path(WEB_CODE_PATH).'admin/'.basename($selfUrl).'?action=open_link&link=', $edit_link.' '.$delete_link.'</li>'], $enreg);
+                                                $edit_link = Display::url(
+                                                    $editIcon,
+                                                    "$selfUrl?".http_build_query(['action' => 'edit_link', 'link_index' => $i])
+                                                );
+                                                $delete_link = Display::url(
+                                                    $deleteIcon,
+                                                    "$selfUrl?".http_build_query(['action' => 'delete_link', 'link_index' => $i]),
+                                                    [
+                                                        'onclick' => 'javascript:if(!confirm(\''.addslashes(api_htmlentities(get_lang('ConfirmYourChoice'), ENT_QUOTES)).'\')) return false;',
+                                                    ]
+                                                );
+                                                echo str_replace(
+                                                    ['href="'.api_get_path(WEB_PATH).'index.php?include=', '</li>'],
+                                                    [
+                                                        'href="'.api_get_path(WEB_CODE_PATH).'admin/'.basename($selfUrl).'?action=open_link&link=',
+                                                        $edit_link.PHP_EOL.$delete_link.PHP_EOL.'</li>'
+                                                    ],
+                                                    $enreg
+                                                );
                                                 $i++;
                                             }
                                         }

main/admin/resource_sequence.php

@@ -5,6 +5,7 @@
 use Chamilo\CoreBundle\Entity\Sequence;
 use Chamilo\CoreBundle\Entity\SequenceResource;
 use ChamiloSession as Session;
+use Symfony\Component\HttpFoundation\Request as HttpRequest;
 
 $cidReset = true;
 
@@ -14,10 +15,14 @@ api_protect_global_admin_script();
 
 Session::erase('sr_vertex');
 
+$httpRequest = HttpRequest::createFromGlobals();
+
 // setting breadcrumbs
 $interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')];
 
-$type = isset($_REQUEST['type']) ? (int) $_REQUEST['type'] : SequenceResource::SESSION_TYPE;
+$type = $httpRequest->query->has('type')
+    ? $httpRequest->query->getInt('type', SequenceResource::SESSION_TYPE)
+    : $httpRequest->request->getInt('type', SequenceResource::SESSION_TYPE);
 
 $tpl = new Template(get_lang('ResourcesSequencing'));
 $em = Database::getManager();
@@ -27,6 +32,7 @@ $currentUrl = api_get_self().'?type='.$type;
 
 $formSequence = new FormValidator('sequence_form', 'post', $currentUrl, null, null, FormValidator::LAYOUT_INLINE);
 $formSequence->addText('name', get_lang('Sequence'), true, ['cols-size' => [3, 8, 1]]);
+$formSequence->applyFilter('name', 'html_filter');
 $formSequence->addButtonCreate(get_lang('AddSequence'), 'submit_sequence', false, ['cols-size' => [3, 8, 1]]);
 
 $em = Database::getManager();

main/admin/system_announcements.php

@@ -185,6 +185,7 @@ if ($action_todo) {
 
     $form->addHeader($form_title);
     $form->addText('title', get_lang('Title'), true);
+    $form->applyFilter('title', 'html_filter');
 
     $extraOption = [];
     $extraOption['all'] = get_lang('All');

main/forum/forumfunction.inc.php

@@ -201,6 +201,7 @@ function show_add_forumcategory_form($lp_id)
     // Setting the form elements.
     $form->addElement('header', get_lang('AddForumCategory'));
     $form->addElement('text', 'forum_category_title', get_lang('Title'), ['autofocus']);
+    $form->applyFilter('forum_category_title', 'html_filter');
     $form->addElement(
         'html_editor',
         'forum_category_comment',
@@ -279,6 +280,7 @@ function show_add_forum_form($inputvalues = [], $lp_id = 0)
 
     // The title of the forum
     $form->addElement('text', 'forum_title', get_lang('Title'), ['autofocus']);
+    $form->applyFilter('forum_title', 'html_filter');
 
     // The comment of the forum.
     $form->addElement(
@@ -529,6 +531,7 @@ function show_edit_forumcategory_form($inputvalues = [])
     $form->addElement('header', '', get_lang('EditForumCategory'));
     $form->addElement('hidden', 'forum_category_id');
     $form->addElement('text', 'forum_category_title', get_lang('Title'));
+    $form->applyFilter('forum_category_title', 'html_filter');
 
     $form->addElement(
         'html_editor',
@@ -3197,6 +3200,7 @@ function show_add_post_form($current_forum, $action, $form_values = [], $showPre
     }
 
     $form->addElement('text', 'post_title', get_lang('Title'));
+    $form->applyFilter('post_title', 'post_filter');
     $form->addHtmlEditor(
         'post_text',
         get_lang('Text'),

main/inc/lib/extra_field.lib.php

@@ -1098,6 +1098,10 @@ class ExtraField extends Model
                             'extra_'.$field_details['variable'],
                             'trim'
                         );
+                        $form->applyFilter(
+                            'extra_'.$field_details['variable'],
+                            'html_filter'
+                        );
                         if ($freezeElement) {
                             $form->freeze('extra_'.$field_details['variable']);
                         }
@@ -1523,6 +1527,7 @@ class ExtraField extends Model
                         );
                         $form->applyFilter('extra_'.$field_details['variable'], 'stripslashes');
                         $form->applyFilter('extra_'.$field_details['variable'], 'trim');
+                        $form->applyFilter('extra_'.$field_details['variable'], 'html_filter');
                         if ($freezeElement) {
                             $form->freeze('extra_'.$field_details['variable']);
                         }
@@ -1537,6 +1542,7 @@ class ExtraField extends Model
                         $form->applyFilter('extra_'.$field_details['variable'], 'stripslashes');
                         $form->applyFilter('extra_'.$field_details['variable'], 'trim');
                         $form->applyFilter('extra_'.$field_details['variable'], 'mobile_phone_number_filter');
+                        $form->applyFilter('extra_'.$field_details['variable'], 'html_filter');
                         $form->addRule(
                             'extra_'.$field_details['variable'],
                             get_lang('MobilePhoneNumberWrong'),

main/inc/lib/formvalidator/FormValidator.class.php

@@ -216,6 +216,7 @@ EOT;
         }
 
         $this->applyFilter($name, 'trim');
+        $this->applyFilter($name, 'html_filter');
         if ($required) {
             $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required');
         }

main/mySpace/access_details.php

@@ -54,7 +54,9 @@ $form->addElement(
     ['id' => 'type']
 );
 $form->addElement('hidden', 'student', $user_id);
+$form->applyFilter('student', 'html_filter');
 $form->addElement('hidden', 'course', $course_code);
+$form->applyFilter('course', 'html_filter');
 $form->addRule('from', get_lang('ThisFieldIsRequired'), 'required');
 $form->addRule('to', get_lang('ThisFieldIsRequired'), 'required');
 $group = [
@@ -73,7 +75,7 @@ $from = null;
 $to = null;
 $course = $course_code;
 if ($form->validate()) {
-    $values = $form->getSubmitValues();
+    $values = $form->exportValues();
     $from = $values['from'];
     $to = $values['to'];
     $type = $values['type'];

main/notebook/index.php

@@ -89,6 +89,7 @@ if ($action === 'addnote') {
     // Setting the form elements
     $form->addElement('header', '', get_lang('NoteAddNew'));
     $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']);
+    $form->applyFilter('text', 'html_filter');
     $form->addElement(
         'html_editor',
         'note_comment',
@@ -146,6 +147,7 @@ if ($action === 'addnote') {
     $form->addElement('header', '', get_lang('ModifyNote'));
     $form->addElement('hidden', 'notebook_id');
     $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['size' => '100']);
+    $form->applyFilter('text', 'html_filter');
     $form->addElement(
         'html_editor',
         'note_comment',

plugin/notebookteacher/src/NotebookTeacher.php

@@ -511,6 +511,7 @@ class NotebookTeacher
         );
 
         $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']);
+        $form->applyFilter('text', 'html_filter');
         $form->addElement(
             'html_editor',
             'note_comment',