From 4d9d5abe27d839372f94ecbbf6027194930f6309 Mon Sep 17 00:00:00 2001
From: Carlos Vargas <carlos.vargas@beeznest.com>
Date: Tue, 12 May 2009 23:10:13 +0200
Subject: [PATCH] [svn r20567] Correction html purifier see FS#4169

---
 main/announcements/announcements.inc.php | 12 +++++++-----
 main/announcements/announcements.php     |  6 +++---
 main/calendar/agenda.inc.php             | 15 +++++++++------
 3 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/main/announcements/announcements.inc.php b/main/announcements/announcements.inc.php
index d99abbef86..e630fbf44f 100644
--- a/main/announcements/announcements.inc.php
+++ b/main/announcements/announcements.inc.php
@@ -1,4 +1,4 @@
-<?php //$Id: announcements.inc.php 20519 2009-05-12 00:27:20Z cvargas1 $
+<?php //$Id: announcements.inc.php 20567 2009-05-12 21:10:13Z cvargas1 $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -739,9 +739,9 @@ function store_advalvas_item($emailTitle,$newContent, $order, $to)
 
 	global $tbl_announcement;
 	global $tbl_item_property;
-
+	$newContent=stripslashes($newContent);
 	$emailTitle = Database::escape_string(Security::remove_XSS($emailTitle));
-	$newContent = Database::escape_string(Security::remove_XSS($newContent));
+	$newContent = Database::escape_string(Security::remove_XSS($newContent,COURSEMANAGER));
 	$order = intval($order);
 	// store in the table announcement
 	$sql = "INSERT INTO $tbl_announcement SET content = '$newContent', title = '$emailTitle', end_date = NOW(), display_order ='$order', session_id=".intval($_SESSION['id_session']);
@@ -789,8 +789,9 @@ function store_advalvas_group_item($emailTitle,$newContent, $order, $to, $to_use
 	global $tbl_announcement;
 	global $tbl_item_property;
 
+	$newContent=stripslashes($newContent);
 	$emailTitle = Database::escape_string(Security::remove_XSS($emailTitle));
-	$newContent = Database::escape_string(Security::remove_XSS($newContent));
+	$newContent = Database::escape_string(Security::remove_XSS($newContent,COURSEMANAGER));
 	$order = intval($order);
 	// store in the table announcement
 	$sql = "INSERT INTO $tbl_announcement SET content = '$newContent', title = '$emailTitle', end_date = NOW(), display_order ='$order', session_id=".intval($_SESSION['id_session']);
@@ -844,8 +845,9 @@ function edit_advalvas_item($id,$emailTitle,$newContent,$to)
 	global $tbl_announcement;
 	global $tbl_item_property;
 	
+	$newContent=stripslashes($newContent);
 	$emailTitle = Database::escape_string(Security::remove_XSS($emailTitle));
-	$newContent = Database::escape_string(Security::remove_XSS($newContent));
+	$newContent = Database::escape_string(Security::remove_XSS($newContent,COURSEMANAGER));
 	
 	// store the modifications in the table announcement
 	$sql = "UPDATE $tbl_announcement SET content='$newContent', title = '$emailTitle' WHERE id='$id'";
diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php
index ca66dfbaa7..9b0c2dd28b 100644
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@@ -1,4 +1,4 @@
-<?php //$Id: announcements.php 20500 2009-05-11 21:41:20Z cfasanando $
+<?php //$Id: announcements.php 20567 2009-05-12 21:10:13Z cvargas1 $
 /*
 ==============================================================================
 	Dokeos - elearning and course management software
@@ -156,8 +156,8 @@ require_once(api_get_path(LIBRARY_PATH) . '/fckeditor/fckeditor.php');
 -----------------------------------------------------------
 */
 
-$safe_emailTitle = Security::remove_XSS($_POST['emailTitle']);
-$safe_newContent = Security::remove_XSS($_POST['newContent'],COURSEMANAGER);
+$safe_emailTitle = $_POST['emailTitle'];
+$safe_newContent = $_POST['newContent'];
 
 if (!empty($_POST['To']))
 {
diff --git a/main/calendar/agenda.inc.php b/main/calendar/agenda.inc.php
index 3c8d529c11..94bc5b2e2b 100644
--- a/main/calendar/agenda.inc.php
+++ b/main/calendar/agenda.inc.php
@@ -1,4 +1,4 @@
-<?php //$Id: agenda.inc.php 20520 2009-05-12 00:34:16Z yannoo $
+<?php //$Id: agenda.inc.php 20567 2009-05-12 21:10:13Z cvargas1 $
 /* For licensing terms, see /dokeos_license.txt */
 /*
 ==============================================================================
@@ -969,8 +969,9 @@ function store_new_agenda_item() {
 	$start_date=(int)$_POST['fyear']."-".(int)$_POST['fmonth']."-".(int)$_POST['fday']." ".(int)$_POST['fhour'].":".(int)$_POST['fminute'].":00";
 	$end_date=(int)$_POST['end_fyear']."-".(int)$_POST['end_fmonth']."-".(int)$_POST['end_fday']." ".(int)$_POST['end_fhour'].":".(int)$_POST['end_fminute'].":00";
 	
+	$content=stripslashes($content);
 	$title=Database::escape_string(Security::remove_XSS($title));
-	$content=Database::escape_string(Security::remove_XSS($content));
+	$content = Database::escape_string(Security::remove_XSS($content,COURSEMANAGER));
 	$start_date=Database::escape_string($start_date);
 	$end_date=Database::escape_string($end_date);
 	
@@ -1057,7 +1058,7 @@ function store_agenda_item_as_announcement($item_id){
 		//insert announcement
 
 		$sql_ins = "INSERT INTO $table_ann (title,content,end_date,display_order) " .
-				"VALUES ('".Security::remove_XSS($row['title'])."','".Security::remove_XSS($content)."','".$row['end_date']."','$max')";
+				"VALUES ('".Security::remove_XSS($row['title'])."','".$content."','".$row['end_date']."','$max')";
 		$res_ins = api_sql_query($sql_ins,__FILE__,__LINE__);
 		if($res > 0)
 		{
@@ -1623,7 +1624,8 @@ function save_edit_agenda_item($id,$title,$content,$start_date,$end_date)
 	$TABLEAGENDA 		= Database::get_course_table(TABLE_AGENDA);
 	$id=Database::escape_string($id);
 	$title=Database::escape_string(Security::remove_XSS($title));
-	$content=Database::escape_string(Security::remove_XSS($content));
+	$content=stripslashes($content);
+	$content = Database::escape_string(Security::remove_XSS($content,COURSEMANAGER));
 	$start_date=Database::escape_string($start_date);
 	$end_date=Database::escape_string($end_date);
 
@@ -4313,8 +4315,9 @@ function agenda_add_item($course_info, $title, $content, $db_start_date, $db_end
     $item_property 				=	Database::get_course_table(TABLE_ITEM_PROPERTY);
     
     // some filtering of the input data
-    $title      = Database::escape_string(Security::remove_XSS($title)); // no html allowed in the title
-    $content    = Database::escape_string(Security::remove_XSS($content));
+    $content=stripslashes($content);
+	$title=Database::escape_string(Security::remove_XSS($title));
+	$content = Database::escape_string(Security::remove_XSS($content,COURSEMANAGER));   
     $start_date = Database::escape_string($db_start_date);
     $end_date   = Database::escape_string($db_end_date);
     isset($_SESSION['id_session'])?$id_session=intval($_SESSION['id_session']):$id_session=null;